Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
So ladies and gentlemen, ladies and gentlemen, welcome to the closing keynote of the European conference, 2013. I hope you had very enjoyable and interesting free days. I ne must say I learned a lot. I think the level of discussion, the intense, the intensiveness and the maturity also of the way that the topics that we presented here are pretty well received from the different stakeholders, both vendors, as well as users have demonstrated. In my view, a level of understanding of the topics specifically in the identity and access space.
Of course, that makes me confident that this is really achieving what we aim for with the series of confidence. So topic wise, a number of things have been achieved. I think a number of new topics emerged or have been stressed and strengthened like life management platforms. For example, others discovered in the last years now take up with immense speed, like for example, oof, for having new much more flexible ways of handling authorizations over the web or over the HTTP to be more precise.
But this is only a part of a preventive activity for keeping our information systems and our information ultimately secure. So I would like to give you in this closing keynote, a number of ideas that go beyond the topic at the topics of that conference. And maybe you can take one or the other thought with you regarding that respect. The basic idea is that the following Today, we are mostly handling an information centric perspective. So the data and the systems, the, the it, the information technology is information centric.
Now you could say, well, this is something we tried to achieve for the last 20 years. We tried to move from it, security towards information security. And we achieved that to a large extent. We have a pretty good maturity of information security management systems now in most industries. And we have been able to transport this concept into this new world that is influenced by cloud computing, by mobile computing and social computing. So we are pretty, pretty safe at that point. And we more or less from my point of view, at least at the VA.
I see we have accomplished as an industry that this is now something that everybody understands must be done to secure information. The risk mitigation for achieving information security has people process and technology aspects, you know, all good information, security needs people, process and technology. You need responsibles like security officers, or maybe also steering committees, taking responsibility for group decisions. You need processes for assuring the information security. It starts with access governance processes.
It goes beyond towards the definition of security protection levels Up to reporting processes. And we need technology to support that. And of course, one major technology that we are discussing here, most of us are very familiar and are in that business is identity and access management that, but there's more technology.
A very, another very important technology here is security information and event management. But we see the real world integration going at such a high speed happening that we have no time. We don't have the 20 years of time, we actually been able to build up this information security competency in the industry, the real world integration. It goes so fast that we need to change the way we approach the security, The risk motorization chain changes.
So by risk motorization, I mean how the risk that occurs that actually becomes effective through an incident has consequences for the company or the society. So in the information centric view, some data gets compromised. The company may be affected by information theft. For example, they're processes, their core of supporting business processes may be damaged a little bit and only then people may be slightly affected.
If, if you think they're through and you take that example of stealing information, for example, espionage or things like these knowledge theft from, from foreign countries. Then this is to be honest of little and of a long term impact on individuals and people now with the smart world integration with our it being integrated with all kinds of sensors, all kinds of SCADA, inform it, systems that are controlling energy, providing water provisioning, and like this becomes different.
The reason is that in the data impacts what you do with the data or what the, or damage to the data will first impact the process. And the process, I will give you an example later will immediately impact or can immediately impact people. And only then the company running that infrastructure or that process will be affected. So it changes the way of the, the way the consequences are received by these different stakeholders. And that's a dramatic change and that's happening so fast.
So, so fast that this is really astonishing and needs to be addressed. As I explained earlier, the complexity that we need to address raises and an incredible speed.
As when, when you think back when the major topic of security in the it environment, was it security, it was very clear what you wanted to have. You have wanted to have availability of the systems and well, not much more than this actually may, most CIOs still are measured. How available their systems. They run actually are information security becomes more complicated because you need to take into account ownership of people. You need to take into account nontechnical, non representations of information, which you don't have under control in your it environment.
The next step is process security. So you, you note, as said in this sequence chain, it's no longer about the information that sheet needs to be in your, the center of your protection of you, but it's the process. It's a business process and it may be a critical business process for society.
So, and we see first, first glimpse we have on that is business continuity management, but also only addresses the continuity aspect, which is to some extent, parallel to the it security versus information security situation, where we, in that case only looked at the availability of the data. So here's my example, take train security. You could have taken any other example where there's a critical infrastructure behind energy banking. You name it, but I took train because I thought maybe there's no train big train organization here. So no one feels offended by that example.
So the signals, the way that trains are controlled today, train security is happening in the following way. Trains. When they go through a specific, specific piece of the circuit, they automatically generate a sign, oh, I'm starting here and I'm passing here and they're given a second sign, an electronic sign electronic signal when they left that segment.
These, these SI signals are sent to central operating centers there. For example, for Deutche ban they're 26 in Germany for the different regions, which are then more over concentrated on six regional centers. And most of the train delays happen for the following reason. Namely not that there's something happened badly where the train needs to stop and to investigate what's happening.
And I know it's just because the signal for the next segment to be free is missing to build up that infrastructure to, or, or the, this infrastructure has been built up using proprietary closed networks and all the different signals go indeed with a cable along all these, all these train lines, it's very costly and it's very rigid system in these central, in these centers. In these, in these centers, there are highly trained experts at monitor the systems and need to take action.
That takes very often personal decisions under stress situations, where there are different trains that need to get response in the same time. Different trained drivers ask for permission, although the signal is not there still to drive and, and, and, and they need to overrule the system.
So to say, obviously this is much more error prone. If an it system itself would actually enable handle that situation.
So the, the, the error rate in the, in the decision making is much lower. If you would let an it system do that, that's the good part. No guess what? The train all major European train organizations do they switch from that manual approach toward an automatic approach.
So they, they, their plan is to replace the people, taking these decisions by automatic systems, for this being able to happen. They need to rework their signal infrastructure. And guess what? This signal infrastructure will be IP based for cost reasons, for support reasons regarding future support. So the future train infrastructure in Europe, it's not yet happening today. Some smaller parts are driving pilots, but the future infrastructure for trains is based on IP based automatic signaling and automatic computation.
So it's will be in fully automated system with different types of rules and rules will govern the way that this, these strains work. Now, if someone attacks now these systems or changes the signals in today's world, we have the process capabilities. Since there's still people sitting there on the desk for actually reacting and preventing an accident to happen in a pure it based system. We don't have that. So we need to, to enhance the process of having this capability. So we need to think about something like a business process, integrity.
It's not only about continuity and availability anymore. It's about integrity about the process running, right, running, doing the right things. And you can take, as I said, you can take any other examples, energy provisioning, and so on. So the underlying issue that we have is here that the more smart usage we want, the more complexity we need to manage, the more we integrate the systems for getting smart decisions or smart decision preparations or smart execution of processes.
The more I need to manage the complexity in the first place, I need to create architectures with a high level of complexity to be able to address that. So this changes the risk mitigation options. So think about this risk materialization change change, right? The risk mitigation and change. There's no longer the same options you have for addressing the risks missing it, security, something we are, I've not really thinking about today, may directly lead to injuries and death.
And, and by the way, may also be subject to cyber crime and cyber war. But this is a definition I don't wanna grow here. And of course the next issue is when this is something we can say as a community, but how will I tell, will I, will I convince my CIO, my it responsible in my organization to take that seriously?
Is this, is this something he should address he should think about? Or will he say, well, may come on, I'm driving it. I'm not driving the core business of that company.
Well, actually, if you take the CIO perspective, it really depends whether you are with your it in the supporting function only, or whether you are running the it of the production environment. If you're only a supporting function, you could say, well, I'm also using the cloud. So does it matter in a sense of Nicholas car?
No, but if for industrial it, for your productive, it, it does. What need do I need to protect when, what my business asks for me right.
In, in the supporting of, tell me, tell me what is the important information is? Tell me what the important business process are. I don't know.
I'm, I'm just the it guy. I'm, I'm, I'm delivering a service in the industrial.
It, you are part of that value creation as an it person, as an I, as a CIO. So you need to take this responsibility as part of your day to day job. So the process, integrity, safety using any kind of information, any kind of data will be at the core of your interests. So that really changes, But we don't know how to protect that. So we have the experience. As I explained earlier, we have achieved a, a really good maturity across the industry of establishing management systems for, for security, for information security, for the supporting business part, not for the core business part.
There's indeed. If you look what's there regarding standardization and, and, and, and, and established best practices, then you will see that there's little to little to know, common understanding across the different sectors, for example.
So the, the air air traffic security air traffic control has a completely different approach than for example, the energy sector. So there's, there's really something that needs to be discovered. And which is yes, yes. To be seen by the way, My view of the world is that the distinction between supporting it.
So to say, and core, it, it, for the core business for the productive production environments will become irrelevant. So either it departments will endorse industrial, productive business, it O disappear. That's the consequence of this cloudification of it services. And we've discussed that for, for a number of times, and I think three, four years ago, and my keynote was already referring to that. I can only strengthen from my personal view today that this is actually the only way out for it. Organizations get into the core business.
So Will our experience, I mean, this experience and that, and that, and that, that maturity that we have developed, will that help addressing the new risks? That's a good question. So basically, if you look at what you need to change in, in the approach, there's not so much there. Basically the core thing we need to change and address that earlier already is to change from asset protection. Instead of thinking in protecting assets, everyone in the information, security business and security departments, and it companies think about assets, what is the asset? What needs to be protected?
We need to switch from the asset to the process. We need to take a process view, right? So we need to think about process availability, Process integrity, and consequently, we come back to it, of course, software integrity for process availability. We have already something is already standardized. So this is really a good, good step forward.
And as I said, it's natural that we do this in the first place as in the first step, because this is the analogy from like, from moving from it security to information, security, business, continuity management, we needed process integrity to become proving and to, to, to describe and, and manage and support processes from an it side to actually assure the integrity of a process. This is something new. This is something we do not do today from an it perspective.
There are, as I said, there are industry specific approaches, mostly on organizational level, and sometimes on an quality control level in when software is used, but not as a, as an integral view on the it processes. And finally, since every, any of these devices will be using any of the it components that are in there will need software. And the software in itself must be functioning, must be trustworthy, right? So we need confidence in the well functioning of the software. So we'll spend the last few minutes now on these two topics, process, integrity and software integrity.
So Integrity comes first. How can you achieve that?
Of course, we have preventive actions. This is really much along the lines that we discuss here. So this everything we do here in cloud security, in access governance in information lifecycle management will be taken into account will go into here. So the processes must be architected accordingly, and they must take into account the existing best practices and security mechanisms that we have. But we need a reactive capability. We will in this, in that environment, only relying on prevention will not work.
We will need to be able to react if an incident occurs and we need to react in real time, because it may happen that we need to, to avoid that this train is crashing into the next train, which is just in front of him. And we may have five minutes or so for that, before that happens. So we need to identify integrity interruptions. We need to reconstruct the integrity in real time. And of course, later on, we need to investigate the threat and take action and, and introduce changes to improve that.
So, basic idea here is prevention alone will not work. We need to go beyond that. The other topic, software integrity, Again here of, there was a session on trust models, trustworthiness models. And the answer was I heard from I wasn't there because I had to, to moderate here, but I heard that basically there is no really convincing model. And indeed that's the current situation. We have secure software development, best practices, but there's, they are best practices. We have certification, but it only works.
The certification is only really doable for very small pieces of software in a very predefined environment, like common criteria. So we need new approaches. You need motorization. So we need to, to divide software in different parts. We need to identify trusted providers of software people on the other side, on the, on the user side.
So the it departments need to be able to verify the origin that the software comes from the right place, not only using digital signatures, that's something we have today, but more that the process that has been used for developing that software has number of activ and number of competencies that help us. And this is new. We need constant checks of well behaving. So we need not only to check that the software is doing nothing malicious, but that is obviously giving us ideas that there must be Trojan horse or something, but we need that.
It also that we be able to check that the software behaves well, right? So doing the right things that we expect from the software. So if your supplier can't convince you, you need additional compensating controls because three of these four, if you don't rely on your supplier will drop. So this is going to be important. There's a difference between well behaving and wellbeing, right? Wellbeing is the system is alive and does and works and functions.
It may do on and off things that I'm not expected it's to do, but ultimately it doesn't impact me too much because this is only consuming computing resources. This is wellbeing. This is what we are looking at IC systems for the last 25 years. What we look, what we need in that process context, in that new smart world is well behaving. We need to, to know that our systems are doing what they're expected to do and nothing else.
And the idea that I spoke to Felix linner, a famous German hacker in January, and we were discussing around the conference on cybersecurity and what, what individuals could actually do, whether to identify whether they have been affected of cybersecurity or cyber attacks or, or, or just, just hackers on their machines. And he said, well, you know what, Sasha, actually, you can't see it today with today's capabilities in the software and operating systems.
You, as an average user, you are not able to see whether someone has hacked your machine or not, but what, what, what can I do else? What you can monitor the processes. You can look, you can look what your machine is doing.
You could, you could monitor what's coming out of the machine. So you could, you could look at what, at what times in a day, the process, the processor speed goes up and the fan goes on, right? Things like these observation of well behaving is different from wellbeing, right? This is important. We need to change the view on that. And last we need to learn from classical security people. So security in the it business.
As I said, a number of times now is too much for coping with this smart world, this too much focusing on prevention. We need reactive capabilities. We need to be able to detect not well behaving. We need to detect something goes wrong here. Although obviously, I don't know, do not know whether really something bad will happen, but this, this is, this is the behavior is not matching expectations. So I should should start investigating. This is something, a capability we need to learn. The cm solutions are the first approach, the first technological sector, which tries to address that.
My, in my view, far from being able to do this, even for an average PC, that every one of us has. So still a lot of innovation needs to happen. We need to constantly check. We need to detect, we need to react and we need to respond. This is that the classical physical security people do for years for, for hundreds of years. And there must be something good in it. So I think this is the ideas we couldn't borrow or adapt to be better.
So we need evacuation plans, cleaning plans, evacuation plans from your it system, cleaning plans to get it, get rid of the, of the, the stuff which shouldn't be there, backfiring plan. So also get active against your intruder. So start a battle.
So to say, restore integrity plan. So get back to the safe state and ultimately also attack plans. So you may have had, you need to have attack plans in your pocket for the case that someone actually attacks you in that, in that environment. So the impact on today's security architecture is we need to strengthen software security assurance, software assurance. We need security by design. Of course we need secure identities. This is a major part of that picture. We need access governance. We need theme. As I mentioned, and we need a risk based information security program.
So everything I mentioned is there concrete lessons to take away for you. I'd like to give to you here in the glass keynote, check your software manufacturer, be prepared in your processes to better look what they're doing, what they're selling. You build assessment catalogs for your cloud service providers, but also for your onsite software manufacturers, whether they actually are able to develop secure software, look at the different best practices, either from OASP or the other sources ask for doing the things, right.
Not only for doing the right things, don't trust, preventive security measures. That's what I, that's my core message. What to say. Don't trust, preventive security measure. They may have been tricked. Best example is stocks, net stocks, net the attack on the Iranian plan to generate a nuclear material was exactly from a systemic point of view, suffering that aspect. They had splendid preventive controls in place, but some of them have been tricked. So they will not be able to detect that something with wrong. Exactly the point.
So understand your risks and last but not least be evil against the intruder, right. So he's able to use, so do you have the, the right to be even against him as well? Don't don't think well, I'm, I'm sticking to my preventive measures. I think this is very important to have this mindset also to, to be ready to fight back. Thank you very much.