The System Security Emperor has no clothes!


A friend of mine, the former head of security for an intel agency and now head of security for a major contractor is fond of saying that bad decisions made more efficiently are still bad decisions.

Sometimes I feel like the kid shouting out “The System Security Emperor has no clothes!”

The reality is that we operate in a very corrupt and leaky data environment. Systems are breached and data is stolen, sold, deleted, corrupted at will by attackers that range from script kiddies to nation states.

Massive data breaches are a daily event and the most frequent target for these attacks is personal identifying information. Why is this the target? Because PII can be used to gain access to the network just attacked and can be leveraged to gain access to other networks.

Yet we promote Identity Access Management systems that assume that if they are only strong enough they can keep the attackers out. The truth is that it is too late for that approach. The attackers are already embedded in our most secure systems.

So many of the major players in the system security business approach the problem by pointing out the vulnerabilities in every system and selling the concept that if only they plugged those holes everything would be fine. The truth is that that approach is nothing more than a virtual Whack-a-Mole game.

The only reasonable operating assumption is that all of our systems presently contain insider threats that are both physical and virtual! The operating assumption that somehow we can operate in a pristine environment is not only unrealistic it is outright dangerous and enables our adversaries.

The OnliU business model is that we accept the fact that our data systems are corrupt and infested by our adversaries who are using the same credentials that we provide our legitimate users – because that is who they stole them from!

My own personal data was stolen at least a half dozen times in the last year (that I know about) and the biggest theft was my security clearance data stolen from OPM – including my digital fingerprints!

The OnliU business model assumes all these bad things as the operating environment we live in and asks: “What do we do now? Can we safely operate in this corrupt environment and defeat our adversaries?" The answer is yes! If we can identify friend from foe not only on the outside of our system, but also more importantly on the inside. Can we identify the virtual bad guy even if he possesses all the trusted credentials of the good guy? Yes! That is what we do with OnliU.

In reading over the promotional materials from the leaders in this industry: Onelogin, Sailpoint, IBM, OKTA, etc., they all take the approach that we can build a stronger login process with better passwords, stronger encryption, better process management, etc. and that will defeat the adversary at the gate. In our view this is the risk that Charlie Phelan was talking about.

The OnliU approach is to recognize that we have something that the bad guys can never have, no matter what they steal – that is the actual flesh and blood legitimate user. The best they can do is a perfect digital copy of the legitimate digital user.

We take a link out of the security chain from a time before digital technology when identities could not be stolen, because people could not easily be stolen. This was a time when credentials were very weak, but people actually recognized each other and didn’t need the credentials at all.

Our premise is to place a link in the IAM process that steps completely out of the digital universe and back into the flesh and blood space where the attacker cannot replicate the legitimate user. We do all the other strong stuff, too!

Back to blog listing

 

© 2016 On!iUs Inc., 15250 Heather Mill Lane, Haymarket, Virginia 20169, USA. All Rights Reserved.