Blue Ocean

As one of the world's leading security vendors, VeriSign has been asked to discuss the top 10 most important security areas for 2010. So, ahead of my new year's resolution, I decided to indulge (after a year working heads down on a single product, it is a fun exercise to think of all the things that you have been missing out on). Although the list is far from complete, it is clear to me that there is no recession for the bad guys. In fact, it has probably never been a more interesting time to be in the security business.

Security Prediction #1:
Cloud Security (Securing the Next IT Infrastructure)

Call it cloudmania or software as a service (SaaS) hype, data, applications, or networks: The whole IT infrastructure is shifting to the cloud. With it, a large chunk of today's IT budgets will be redistributed to the next Google of the cloud. In 2010, SaaS security will be in the forefront as chief information officers ponder their increasing reliance on external business applications: "Is my data safe? Is my security policy enforced? Am I still compliant?" Federated identity and access management services across SaaS will start providing some answers, and strong authentication will bolster identity services. Cloud platforms such as Microsoft Corp.® Azure and Rackspace will lead the industry to redefine key and certificate management within cloud environments.

Security Prediction #2:
Website Security (the Growing Threat of Web Malware)

The Web is a growing channel for malware distribution. From February to August 2009, the Google search blacklist grew by 65%. It is now very clear: Bad guys want to infect popular Web sites with malware to silently take over your desktop as you browse the Web. Their weaponry is as effective as it is diverse: hidden IFrames, obfuscated JavaScript, and malicious browser add-on objects. The arsenal and sophistication of these exploits is growing daily. Even with anti-virus running on your machine, your odds of being infected while visiting a drive-by download site may be more than 1 in 2. Let us face it: Web pages have become sophisticated programs. They increasingly become a dominant attack vectors for all the world's hackers who are seeking home computers for their botnet and consumer identities for their piggy banks. As the threat increases over time, drive-by malware protection will become an important check for any commercial Web sites.

Security Prediction #3:
Virtualization Security (Protecting the Cloud Operating System)

Securing virtualized environments is an absolute necessity. After all, virtualization is to the cloud what the browser is to the Web. Some see the hypervisor as the ultimate rootkit. We see virtualization as an opportunity to improve security through end-to-end automation. Combined, virtualization and the shift to the cloud provide a unique opportunity to transform the way we do security today. Virtualization enables security automation. Automation will streamline security deployment and ongoing management, taking us to levels that we simply could not achieve before. As virtualized switches reduce networking cost and complexity, virtualized security appliances and virtualized component certification will reduce the difficulty of deploying secure environments. For now, many questions remain: How do I secure my virtual images? How do I ensure the integrity and confidentiality of my enterprise servers, my employee desktops, and mobile phones templates and images? How do I make sure that all the data that these edge-deployed images consume and produce are protected by keys to which no one else has access? As end-point deployment converges to an automated assembly of virtualized software components (operating system, applications, firewalls, anti-virus, intrusion prevention system, intrusion detection system, load-balancer, policy servers, etc.), how do I make sure that these elements are authentic, patched, and selected according to my security policies? For many years, we have been securing code for Active X and Java applications. The next generation of trusted software may well be virtual images.

Security Prediction #4:
Mobile Security (From Mobile Phone to "Security Remote")

Thieves steal a laptop every 53 seconds, and authorities never recover approximately 97% of these devices, according to the FBI. Worse, thieves will steal one out of every 10 laptops within 12 months of purchase. With the explosion of smart phones around the world, the new mobile platforms are about to become a hacker's dream and a corporate IT nightmare. It is no coincidence that 2009 saw the first iPhone worm. In a world of untethered devices (laptops, net books, smart phones, tablets), personal and corporate data must be encrypted, remote mobile access must be strengthened, and mobile end-point security must be deployed. Over time, mobile devices and the alternate digital channel that they enable will turn into a "personal security remote control". Indeed, we all need the choice of stronger security that does not impact the convenience of our digital lives.

Security Prediction #5:
Social Networks Security (Bringing Trust to Social Communities)

There are clear and obvious dangers associated with social networking including personal data theft,malware, and scams. The most prevalent threats often involve online predators or individuals who claim to be someone that they are not. A December 2009 study from Sophos Plc. showed that 41% to 46% of contacted users "blindly accepted" friend requests from fake Facebook users created by the security firm. As businesses increasingly start leveraging social media to interact with consumers, business authentication, reputation, and trust marks should have an important role to play in the social neighborhood. Because trust is essential to any form of business, in 2010, social applications and games may seek trusted third parties to identify, certify, and signal legitimate business that comply with industry best practices.

Security Prediction #6:
Safe Navigation & Search (Surfing with Peace of Mind)

On today's Internet, clicking on a hyperlink may end up being the riskiest decisions for millions of Internet users. In a Web of phishing, drive-by malware and scams, what lies behind the link can indeed be deceiving. In 2010, Web navigation will need to get safer. Already, we are working with bity.ly to identify malicious shortened URLs. More global and impactful is the announcement to deploy DNSSEC across.COM and .Net in 2011. Because DNS is at the heart of Web navigation, the introduction of DNSSEC within the Internet infrastructure should have a profound effect on bolstering security across Web browsers, directories and search engines. Less obvious, DNSSEC could also change the way developers create secure APIs on the Web. DNS is a powerful directory protocol. Yet, most Web platform uses REST APIs over HTTP/HTTPS, and not DNS. This is due in part to the extra security and trustworthiness provided by HTTPS over DNS that is subject to MIM attacks. However, when it comes to scale and operational costs, large data lookup systems based on DNSSEC APIs could be more cost-effective than those based on HTTPS. As DNSSEC becomes ubiquitous, across the Internet fabrics, trust services, new directories and large dataset lookup systems based on DNSSEC could emerge. Someone just needs to invent the equivalent of JSON to encode key-value pairs over DNS. So could DNSSEC change the way Internet architects design open secure Internet systems tomorrow? Certainly, it will be up to the developer's community to decide, but 2010 may be the year when DNS becomes a viable alternative.

Security Prediction #7:
Network Security (Elastic DDOS Protection)

With Facebook and twitter in the bad guys cross-hair the increasing threat of distributed denial of service (DDOS) has reached unprecedented notoriety. Across the world, DDOS attacks have risen to unprecedented levels. Looking forward, our increasing reliance on public networks to support commerce, IT mission-critical applications, and communication will continue to drive the need for DDOS protection. Because DDOS protection is a game of scale, DDOS monitoring and mitigation cloud services should play a pivotal role in keeping public and private networks safe in 2010.

Security Prediction #8:
Consumer Identity Trust (the Emergence of User-Centric Policies)

The evolution of the world wide wed into a user-centric, real-time and distributed information system has never been so evident. In less than 15 years, our center of attention on the Web has already shifted from the highly centralized portals to the more distributed blogosphere, the more personal Facebook pages of our friends, and the more real-time Twitter streams of our specialized interest. Increasingly, the content and data that truly matters to each of us has become de-centralized, personal and real-time. As the Web continues this inexorable mutation into a user-centric, distributed and real-time information system, the imperative for a new identity system becomes blatantly clear. The necessity for each of us to control and protect our content and data across multiple service providers eventually drives the emergence of an open identity order that goes beyond the artificial locks imposed by large user and social communities. If the data and content that matter to us are personal, distributed and real-time, surely, these new identity services will need to ensure that they remain authentic, safe and private. In 2010, open identity systems will continue to garner momentum. Governments will begin deployment. Because Interoperability cannot be achieved with technology alone, an open policy framework emerges as a foundation for identity privacy security and trust will emerge.

Security Prediction #9:
Securing the Smart Grid (Safe Clean Tech)

Saving energy and improving management of energy is high in today's political agenda. With millions of individual homes, building apartments, offices, the network of things may will likely be larger than the World Wide Web. Securing the smart energy grid cannot be an after thought. The interconnection of consumer devices, meters, distribution transmission infrastructure, and energy providers into an intelligent network may not only be of country largest growth and innovation opportunity, it could also be its greatest liability. The network of things will have to be trusted from day one. This worthy endeavor will drive the deployment of next generation cryptography, embedded certificates and trusted computing for smart grid elements. It is still early, but there is no alternative: the smart grid will have to be secure or it won't be.

Security Prediction #10:
Browser Security (Stopping the Man in the Browser)

Browser security seems to be as much art as it is a science. As anti-virus companies and hackers keep on playing the cat and mouse game, new approaches for protecting users against malware are starting to emerge. Browser sandboxing is a promising area. Cloud based AV provides another innovative approach. Most corporate users are already familiar with AV web proxy. They process web page in real-time and filter based on signatures and blacklists. Real time updates and shared threat intelligence are some of the key advantages of cloud-base malware detection. The approach has merit since signatures can take days to be written while malware can morph in hours. Browser and plug-in vulnerabilities will keep on driving desktop threats in 2010. The VeriSign iDefense team will keep on publishing zero-day exploits and vulnerabilities ahead of attackers. If last year's trends are any indication of what the next year will look like, they have their work cut out for them.

Posted by Nico Popp at 1:18 PM | Permalink | Comments (0)

Concerns for the security of application run in the cloud are running high. The perceived lack of security of cloud platforms is often cited as the primary obstacle to adoption. Whether "cloud" is defined as infrastructure as a service (storage and compute services ala Amazon), platform as a service (application deployment environment ala Google App Engine), or simply as application outsourcing (SAAS ala SuccessFactor), almost everyone is lamenting at the security inadequacies of these new computing platforms.

This raises the question whether cloud providers should envision becoming security companies. After all, why would CIOs ever shift their entire IT infrastructure to the cloud unless the cloud came with strong security, compliance assurance and operational risk management? Conversely, should security companies rapidly transform themselves into cloud providers? After all, why would an enterprise that has crossed the Rubicon of moving the IT infrastructure to the cloud ever want to keep on buying security from a security company? Instead, would not enterprises customers expect cloud service providers to bake in security as part of the cloud offering? Despite the need for secure clouds, security companies are not yet focusing on IT infrastructure as a service. Instead, most security vendors are exploring security as a service, that is the cloud as a delivery mechanism for traditional security services. The MessageLabs acquisitions by Symantec, the MX Logic acquisition by McAfee and the recent acquisition of ScanSafe by Cisco gives credence to the popularity of the cloud as the savior for all enterprise security companies faced with the spectrum of contracting software licenses revenue and profit margins.

Interestingly, the so-called insecurity of the cloud does not need to be a perennial curse. The shift of IT to the cloud actually provides a significant opportunity to improve the way we do IT security today. In the same way as the cloud is transforming IT deployment and management, it will transform security. Consider for example, vulnerability and patch management. From a security standpoint, the most tangible risk is the failure to keep up with the constant, labor-intensive process of patching, maintaining and securing each server in a company. Although vulnerability assessment can be automated through external network and application penetration testing, there is still a lot of labor-intensive process and extreme customer pain in patching networks, servers and software: ports must be closed, networks must be segmented, patches must be installed installed, application code needs to be changed, etc.

Contrast this to what the cloud can enable. If an application is running in the cloud, the cloud provider takes responsibility for the hardware, OS, network, and third party software, making sure they are hardened and certified. A choice of infrastructure elements with varying security assurance levels is offered, but the customer internal security policies govern deployment. All infrastructure elements are periodically pen-tested for known and zero-day exploits. As new vulnerabilities are identified, an automated patch process is implemented. New virtual images are built and automatically deployed across the virtualized infrastructure. Virtual switch segments and firewall rules are updated in real-time. When vulnerabilities are found in the custom IT application code, a virtual Web Application firewall automatically blocks them. Virtual IPS and IDS capture, correlate and log all security events. Compliance logs, reports and scan results are automatically sent to customers and auditors whilst being securely archived. An end to end managed security model, orchestrated by a pool of specialized and over-trained security administrators becomes possible; a far cry from today's reality of patching and software security maintenance.

Therefore, far from being a security liability, the shift to the cloud is an opportunity to streamline, automate and strengthen IT security. For progressive security companies, this could be game changing. For those unable to renounce their addiction to an aging licensing business model, it could be doomsday. In the same way that the cloud is challenging software platform vendors and ISVs, the cloud is about to disrupt the world of security. The quest for security differentiation in cloud platforms may even drive industry consolidation. Of course, skeptics will assert that the cloud is a fad and that nothing is really changing (watch Larry Ellison at the Churchill Club exposing the hype). Denying the transformational nature of virtualization (the genuine cloud OS) and multi-core computing technologies may be shortsighted. Ignoring the business model disruption of pay-as-you-go over software licensing may prove unwise. Personally, after a year of contracting GDP and anemic recovery forecast, I find it invigorating to believe that one in a decade technology disruptor and market breaker lies right in front of our industry. Displeases Mr Elisson, for once, keeping your head in the cloud may be the smartest IT business strategy for the many years to come.

Posted by Nico Popp at 7:57 AM | Permalink | Comments (0)

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance framework should be flexible enough to support different levels of assurance based on the transaction risk and value. For low assurance Web federation where large brands such as email providers and major social networks dominate as OPs, certification may seem overkill, unless of course, the federation is built on open principles stating that any OP meeting the standard should be able to participate. For high assurance identity, such as payment networks, financial networks or eHealth record exchanges, certification is primordial. In fact, in such environments, both the OP(s) and the RPs need to be certified.

The NIST guideline for electronic authentication is often referenced in the community as a good model for any identity trust framework. The NIST guideline defines four levels of insurance for e-authentication. Each level is deemed appropriate
Depending on transactional risks. Tiered levels of identity assurance are essential to any pragmatic trust framework. Set the bar too high and deployment becomes impractical. Set the bar too low, and the bad guys will have a ball. Justifiably, the NIST guideline provides a solid starting point. Nevertheless, one needs to observe that the framework may be too narrowly focused on user credentialing and credentials strength to provide a complete answer. Open Identity systems cannot ignore the reality of today's Web vulnerabilities, threats and exploits that feed identity theft around the globes such as man in the browser exploits, session hijacking or Web vulnerability driven exploits like mass SQL injections. A trust standard also needs to go beyond security and address the major consumer concerns and political challenges of privacy. When it comes to trusting identities, security, privacy and anonymity are intricately intertwined. Trust in a federated identity Web mandates a holistic approach that looks not only at user authentication but also takes into account the current state of desktop exploits, Web site compromises and most importantly establishes clear and enforceable privacy protection guidelines.

Trusting the OP/RP Websites: web security & business authentication

For low and medium assurance identity transactions, it seems to be that both the OP and RP website security would need to be asserted. There I think, one can learn from Internet security standard such as PCI. Even though the standard is far from being perfect (a euphemism, perhaps), it provides a shared base of security requirements for all websites to engage into ecommerce and securely handle credit card information. If one believes that consumers will require for their personal identity the same level of security as for their credit card, the parallel can be useful. The OP website should then be scanned for network security vulnerabilities; Ports should be closed. Network services should not run outdated or un-patched software; the OP should not be vulnerable to common Web exploits such SQL injections, cross-site scripting (XSS), or Cross-Site Forgery requests (CSRF). For web application vulnerabilities, the OWASP standard that identifies the top 10 Web vulnerabilities provides a useful reference. In addition to security assessment, a set of security best practices should be required. For example, the OpenID profile retained by the federal pilot already specifies that SSL should be part of the deployment profile. Verifying the authenticity and legitimacy of the organization behind the OP is as important as verifying the security of its website. There, a proven model that the industry could re-use is the EV business authentication standard. EV certification already defines a strong process for vetting organizations and it is already widely used across the industry.

Trusting the user: beyond identity verification and credentials

As mentioned, NIST will provide the foundation for user trust assurance (both for runtime and initial authentication of end users). Equally important, however, is to consider that Internet threats have significantly evolved since the NIST framework was initially published. In particular, we need to recognize that one of the main threat vector for identity theft is now malware. An identity trust framework can no longer ignore the potential of a man-in-the browser attacks (Trojans, key-loggers, worms, etc). Knowing whether the end user has any end-point protection (and maybe encouraging websites to introduce out-of-band messages into high assurance identity transactions when such protection is lacking) could be of consideration.

Trusting the transaction: from activity to security streams

Believing that the OP can provide strong identity assurance by simply checking credentials and abandoning the user at the RP front door is a dangerous over-simplification. Because modern exploits often let the user authenticate to commit fraud further down the session, it is important to enable OPs to leverage the knowledge of the end-user and her transaction patterns to identify high-risk conditions. Since we cannot assume the existence of adequate desktop protection (Internet security that exclusively relies on the presence of a client on the user desktop is no more than an academic exercise), high assurance federation models need to enable the use of fraud engines techniques across RPs (most logically, run at the OP although it could be a separate). The ability to create an effective user risk profile across transactions is what has made the credit card networks work. High assurance identity networks are going to need an equivalent (think VISA of identity). An interesting idea could to leverage the concept of activity stream as a real-time fraud detection primitive. A security stream back to the OP (under complete user consent and strict privacy protection) would allow RPs to feed transactional information back to the OP, allowing it to build a complete risk profile of the user across her Internet activities (fraud detection is often based on clustering techniques that measure abnormal deviation from normal behavior). Even without a risk-engine running at the OP, a security activity stream could have tremendous security value if used as a simple identity alert system to notify the user of all ongoing transactions. In high risk cases, the activity stream could trigger an out-of-band consent for the transaction (think of Visa calling you to confirm and authorize a suspicious transaction); it is interesting to think that the social concept of activity stream that is today missing from OpenID (not from Facebook Connect) could actually be used to drive better identity theft protection. With such transactional feedback loop, a security minded OP would be able return a transaction score and possibly a liability guarantee based on the user risk and behavioral profile built over time. Incidentally, interesting new OP business models could emerge (VISA-like: "I will take a cut of the transaction", Credit-Bureau-like: "I will charge you for the score", Insurance-like: "I will take the liability risk").

Ensuring trust across these three dimensions (the organization, the website and the user) is non-trivial. Yet, it is critical to enable consumers worldwide to engage into shared identity interactions with peace of mind across the Internet. Very much like PCI vendors emerged from the existence of a commercial PCI standard, one would hope that Identity trust assurance services could emerge as well since security companies need economic drivers to build great services. One of the key challenges of the standard will be to strike a balance between where to set the security bar to permit a high level of automation for accreditation. Such balance is always hard to strike, but it is also what makes the challenge worthwhile.

Posted by Nico Popp at 9:50 PM | Permalink | Comments (0)

Two weeks ago, I had the privilege to join the OpenID foundation and Information Card boards for a meeting with CIO, Vivek Kundra and his staff at the Whitehouse. The goal was to discuss the forthcoming OpenID pilot and better understand the government commitment to enabling distributed identity on the Web. Undeniably, this was a very interesting and spirited discussion.

A key take home for me was the recognition of identity as the lynchpin to new citizen-centric services, governmental IT cost reduction, and stronger cyber security. For key Obama initiatives such as citizen participation or electronic health records, identity management was described as foundational. Equally impressive was the sense of a holistic and consensual approach towards the broad deployment of trusted digital services across federal, state and local Web sites.

In particular, there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. The government endorsement of OpenID is likely to prove significant. After all, if OpenID is good and secure enough for the government, it should be good and secure enough for most Web sites. Beside, once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

Consider health care reforms for example. To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites. Privacy and security concerns are high on the list. Without high assurance, clear liability models and robust shared identity services, eHealth is a non-starter.

The crawl, walk run approach to identity services that our federal government is taking may prove insightful. By restricting initial interaction to pseudonymous and low assurance level identities, federal web sites instantly provides the industry with a simple test bed to iron out the trust and privacy frameworks necessary to the deployment of large federated identity networks. User experience, privacy policy and security approach that can work for millions of consumers will have to be standardized. The liability elephant that has been haunting the identity discussion rooms will have to be tamed. No doubt that the OpenID foundation, the Information Card foundation and many other have their work cut out for the next few months.

So, keep an eye on the pilot. If all the planets keep aligning, and federated identity can prove to significantly increase user registration, an important chapter in the book of distributed identity systems may be just about to open in front of us.

Posted by Nico Popp at 11:19 AM | Permalink | Comments (0)

Today, Federal CIO Vivek Kundra is announcing the first pilot for its Open identity initiative. The pilot will support both OpenID and Information Card technologies. Initially, it will be conducted by the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS) and other agencies. Over time, over 500 governmental web sites may become Open ID relying parties, potentially, creating one of the largest federated identity network.

Bien sur, VeriSign and the PIP will participate to the pilot as Open ID authentication services. This means that your VeriSign PIP ID will be accepted across participating federal Web sites. Saying that we are proud of being a part of this important announcement would be an understatement. The open identity initiative is a crucial step in President Obama's mandate for open citizen participation on key society issues such as health care, ecology and energy.

The goal is as bold as it is audacious. By embracing open and distributed identity systems, the US government is taking a resolute step towards turning the Web into an organizing engine for participative civic action. Identity is foundational. Making it easy for users to register and participate in government Web sites is smart. Removing obstacle to participation by allowing citizens to manage their digital identity through independent service providers of their choice is inspired. Yes, the tone is definitely right. Civic participation should be based on principles as open as is the Internet that enables it.

User centric identities for a citizen centric Internet? It certainly feels very right to me.

Read our Press Release.

Posted by Nico Popp at 5:05 PM | Permalink | Comments (1)