Skip to main content

Posts

12 Steps to Zero Trust Success

A Google search for “zero trust” returns ~ 195Million results.  Pretty sure some are not necessarily related to access management and cyber security, but a few probably are.  Zero Trust was a term coined by analyst group Forrester back in 2010 and has gained popularity since Google started using the concept with their employee management project called BeyondCorp.


It was originally focused on network segmentation but has now come to include other aspects of user focused security management.

Below is a hybrid set of concepts that tries to cover all the current approaches.  Please comment below so we can iterate and add more to this over time.


Assign unique, non-reusable identifiers to all subjects [1], objects [2] and network devices [3]Authenticate every subjectAuthenticate every deviceInspect, verify and validate every object access requestLog every object access requestAuthentication should contain 2 of something you have, something you are, something you knowSuccessful authenticatio…
Recent posts

Cyber Security Skills in 2018

Last week I passed the EC-Council Certified Ethical Hacker exam.  Yay to me.  I am a professional penetration tester right?  Negatory.  I sat the exam more as an exercise to see if I “still had it”.  A boxer returning to the ring.  It is over 10 years since I passed my CISSP.  The 6-hour multi-choice horror of an exam, that was still being conducted using pencil and paper down at the Royal Holloway University.  In honesty, that was a great general information security bench mark and allowed you to go in multiple different directions as an "infosec pro".  So back to the CEH…

There are now a fair few information security related career paths in 2018.  The basic split tends to be something like:

Managerial  - I don’t always mean managing people, more risk management, compliance management and auditingTechnical - here I guess I focus upon penetration testing, cryptography or secure software engineeringOperational - thinking this is more security operation centres, log analysis an…

The Role Of Mobile During Authentication

Nearly all the big player social networks now provide a multi-factor authentication option – either an SMS sent code or perhaps key derived one-time password, accessible via a mobile app.  Examples include Google’s Authenticator, Facebook’s options for MFA (including their Code Generator, built into their mobile app) or LinkedIn’s two-step verification.  There are lots more examples, but the main component is using the user’s mobile phone as an out of band authenticator channel.

Phone as a Secondary Device - “Phone-as-a-Token”

The common term for this is “phone-as-a-token”.  Depending on the statistics, basic mobile phones are now so ubiquitous that the ability to leverage at least SMS delivered one one-time-passwords (OTP) for users who do not have either data plans or smart phones is common.  This is an initial step in moving away from the traditional user name and password based login.  However, since the National Institute of Standards and Technology (NIST) released their view that…

How Information Security Can Drive Innovation

Information Security and Innovation: often at two different ends of an executive team’s business strategy. The non-CIO ‘C’ level folks want to discuss revenue generation, efficiency and growth. Three areas often immeasurably enhanced by having a strong and clear innovation management framework. The CIO’s objectives are often focused on technical delivery, compliance, uploading SLA’s and more recently on privacy enablement and data breach prevention. So how can the two worlds combine, to create a perfect storm for trusted and secure economic growth?

Innovation Management  But firstly how do organisations actually become innovative? It is a buzzword that is thrown around at will, but many organisations fail to build out the necessary teams and processes to allow innovation to succeed. Innovation basically focuses on the ability to create both incremental and radically different products, processes and services, with the aim of developing net-new revenue streams. But can this process …

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Bot Protection During Signup and Signin

Bots, bots bots.  They're everywhere apparently.  They are becoming more complex and cause havoc to customer facing identity management systems, IoT devices and more.  Fake accounts.  Dummy accounts.  Redundant accounts. Orphan accounts.  Fraudulent accounts.  Not to mention DDoS (Distributed Denial of Service) attacks.  Mine field.

Well, there are certainly some basic steps that can be taken to help identify and prevent bot usage of the key identity management services many public facing API's and applications expose.  Firstly, let's describe some of the main functional areas bots are likely to attack.

A Design for Modern Authentication

The password is dead. Long live the password! I have lost count of how many articles and blogs I have seen with regards to the weaknesses, the management, the flexibility, security, insecurity and overall usage of passwords when it comes to user authentication. We all use them and they’re not going anywhere any time soon. OK, so next step. What else can and should we be using for our user and device based authentication and login journeys?

Where We Are Now – The Sticking Plaster of MFA
So we accept that the traditional combo of user name and passwords is bad for our (system) health. Step forward multi-factor authentication. Or 2FA. Take your pick. This generally saw the introduction of something you have in the form of a token, phone-as-a-token or some other out of band mechanism that would create a one-time-password. Traditionally the “out of band” mechanism was either an email or SMS to a preregistered address or phone number, that contained a 6 digit pass code. Internal or employee…