Identity Is the New Perimeter

On March 10th, Black Hat organized a webinar called Identity is the New Perimeter. If you know anything about security then you might guess that this webinar is going to be about zero-trust.

The first presenter was Charl van der Walt from the Cybersecurity division of Orange Mobile. No, that is not a typo, he was attending from Capetown in South Africa. The other presenter from Orange was Wicus Ross.

The challenge of cybersecurity has changed a lot over the years. When I worked for Cadence at the end of the 1990s, we were all issued SecureID tags (made by RSA, see the picture at the start of this post). These displayed a 6 digit number that changed every minute. To connect to Cadence required a username and password, as usual, but also the 6 digit number of the minute. But once you were in, you were in and could do most Cadence things that you might want to do, such as reading your email. This is known as perimeter defense, and the traditional analogy is a castle with a moat and walls. It is hard to get in, but if you get across the moat and breach the walls, then you are in and there are no more walls and moats. By the way, the main purpose of the moat was not because it is hard to get across the moat, but to prevent sapping of the walls. With no moat, it was possible to tunnel under the walls supporting the tunnel roof with wooden props. When the tunnel was long enough and wide enough, the props were set on fire and the wall, now with no foundation, would (hopefully, if you were the sappers; hopefully not if you were in the castle) collapse.

In the early days of the Internet this worked fine, even with lots of telecommuting and roadwarriors, since services at most companies, Cadence included, were hosted on servers inside the company, inside the moat and walls, as it were. Two big things changed since then. The first is the arrival of the Cloud and of everything-as-a-service. So many functions such as Salesforce or Workday were hosted in the cloud, outside the moat and walls. So it simply didn't work to have just perimeter security. At first, this meant that every service needed its own password and, perhaps, other authentication like SecureID. As services proliferated, that became inconvenient, to say the least. The problem was then magnified in the last couple of years with Covid-19, lockdown, and work-from-home. This made changing from perimeter defense to zero-trust security from something that was nice to have to something that was (and is) business critical.

The concept of a VPN (virtual private network) started as early as the 1980s with NIST's Secure Data Network System, with further developments through the 1990s, such as the Gauntlet Firewall using 3DES (triple use of the Data Encryption Standard). IPsec was born with RFC 1825 and 1827. Microsoft released PPTP, point to point tunneling protocol. In the late 1990s, 22TP was release (RFC 2661), the level 2 tunneling protocol. By the early 2000s we had OpenVPN. All of this made VPNs stronger and more standardized.

But there were some big issues. Most people were connecting to the internet via wi-fi, and the wi-fi access point was untrustable. VPNs did nothing to address that, it was an aspect of the traditional engineering of a VPN.

In 2003, the Jericho Forum started. It was an international group working to define and promote de-parameterization. It was initiated by David Lacey from the Royal Mail, and grew out of a loose affiliation of interested corporate CISOs (Chief Information Security Officers), discussing the topic from the summer of 2003. It eventually declared success in 2013, and merged with The Open Group in 2014. It's rallying cry was essentially:

The perimeter is dead and there is no point any more in distinguishing internal and external

One important deliverable was the Jericho Forum Commandments in 2006, and the Identity Commandments in 2011.

Two major security incidents then occurred. Really major. Google were breached, allegedly by the Chinese under Operation Aurora, and gained access to source code and other crown jewels. Google set out to apply principles of the Jericho Forum toward a perimeterless architecture and that evolved into a set of products. The second was the compromise of RSA. The attackers, presumed to be state-sponsored, found their way in by spearfishing (see my posts Black Hat: Phishing on Gmail and Social Engineering). They got the RSA token seed servers, immediately making SecureID tokens like that one at the start of this post insecure and useless. Worse, they could then propagate the attack into other corporations using SecureID until the breach in the wall was closed.

Zero Trust

Vikas started with the secret decoder ring to all the acronyms associated with Zero Trust:

• ZT – Zero Trust
• ZTA – Zero Trust Architecture
• ZT MM – Zero Trust Maturity Model
• ZTNA – Zero Trust Network Access
• SASE – Secure Access Service Edge
• 2FA – Two-factor authentication
• MFA – Multi-factor authentication

The approach was to switch from perimeter defense to ZT. In a ZT world, everything is remote access and we don't care where it is coming from. The top 3 tenets of ZT are:

• Least privilege
• Assume breach
• Authenticate and authorize every transaction

A key aspect of making ZT work is identity. Every transaction needs to be authenticated and authorized, meaning that the person or people involved need to be identified.

The ZTA Identity-driven approach assumes:

• People and Processes need to interact with resources
• Policies used to enforce conditional access
• Dynamic trust algorithms use policies to grant access

There are also Authentication Assurance Levels:

• Based on context
• Confidence Associated with Authenticator
• Number of factors required
• Type of authenticator

In the past, authentication was purely by password ("something you know"). Now other aspects, "something you have" and "something you are" can be added. The weakest is sending text messages to your mobile with a code (weakest, since it is relatively easy to compromise text messages to phones). Better are authenticators, biometrics, and the emerging password-less approaches. Of course, Orange is in the mobile business, so they are especially focused on approaches that rely on mobile, indicated with the orange arrows in the chart above.

Of course, this immediately raises the issue of how secure is your mobile. If your mobile can be compromised, for example, there is not much point in using it for facial recognition. In mobile, there are really only two important companies: Apple with iOS and Google with Android. Both have made major investments in security, both built on a hardware root of trust.

• iOS: closed and proprietary ecosystem. Excelled in the way they designed their SoC with a secure enclave to protect key material. biometrics on the phone.
• Android: open software platform relying on 3rd parties to do handset manufacturing. but becoming more prescriptive on what is required to deliver “trusted execution environment.” But not all devices have the same capability, but the high-end phones are comparable to what Apple is offering

Charl came back and showed the chart above. The orange line are attacks on mobile. So they are not yet the main vector, but they are starting. As he said:

What an attacker would have to do is root the device, take control at the lowest operating system level (very difficult but gives you “god” privileges so you can steal anything). Up until 2021 I would have said these attacks were not feasible, but one thing we watch, the orange line at bottom of graph, means we are starting to see these attacks in the wild at the end of 2020.

Governments worldwide also want to get onto users’ phones. They have gone to specialized companies (NSO is one but there are others) and buying tools to compromise users’ phones in just the way our threat model.

Above is a slide from NSO group just to show how "professionalized" are these groups that have emerged from the military-industrial complex. Governments want professionals because they need exploits, and that drives demands. The chart above looks a bit like the periodic table of the elements, but it is what NSO will pay for exploits, going as high as $2.5M.

That shows how difficult these exploits are to develop. But once you see that kind of money, it subverts many of the security paradigms we “held to be true”. This hacking is starting to happen with a whole industry developing these exploits, they are priced beyond the price a criminal might pay. There is demand to be able to bypass multi-factor authorization (MFA). Emergent capability is working on hacking phones. Need for bad guys to attack phones to bypass MFA. We will see those in next few years.

Mobile phone security is going to become key to ZT. Criminal elements are massively investing in compromising our networks and are not going to give up just because it gets hard. 2FA and MFA for hackers compromising mobile phones are going to be pushed down from this cyber-military complex.

Q&A

Q: What risks does zero trust introduce into an organization?

A: Most organizations have everything set up and they understand well, so upending that and introducing something new can be a problem. You can quickly flip everything from working to not working. Need a lot of thought on adopting, and it can take a long time to introduce. It is a multi-year process.

Q: Security aside, what is the cost-saving in transition from hybrid cloud with VPN to ZTA?

A: On-prem VPNs are not adequate.

Q: Can I buy zero trust?

A: Short answer unfortunately is no. It is not a product. It is something each business has to architect for themselves. Do not believe you can just buy it, you have to have a plan to take a section of a business unit and migrate it across. No zero trust solution fits everybody.

Q: If you were to start a new company, what would you recommend as a ZT implementation?

A: When you start a new company, it is easiest since no legacy. I would deploy SASE platform and start with them.

Q: What if "something you have" gets stolen, like fingerprint or biometric face information?

A: One advantage of something you have is that you know it has been stolen (token, phone). Technically stealing someone's face is hard. Not on the scale of stealing someone's password. I have seen things that defeat iPhone face recognition, but it is hard to scale. MSA is moving from SMS to biometrics which are much more secure

Q: How do we ensure our personal phones are protected from being hacked?

A: All we need to do is ensure you have a decent password set, and choose your platform wisely. Big reputable vendors versus smaller ones. Make sure it is patched. Where it becomes challenging is with thousands of employees and BYOD (bring-your-own-device) so how do you ensure phones are all patched.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.

.