Identity in Cybersecurity Ep. 1 — Walking the Security and Convenience Tightrope

Ian Paterson talks to Ed Hammersla of Forcepoint, IBM, NEC, and Red Hat fame about the most basic trends and tradeoffs in cybersecurity.

How have the threats in cybersecurity changed over time? How secure is data access today compared to 10 years ago? Are different strategies required for cybersecurity in government versus corporate life? What’s the best way to find good cybersecurity talent in a tight market?

In this episode, Plurilock CEO Ian Paterson interviews seasoned corporate executive and cybersecurity expert Ed Hammersla for answers to these questions—and more.

Host:      Ian L. Paterson
Guest:      Ed Hammersla
Length:      25 minutes, 41 seconds

Ready to listen in? Click play below.

 

Transcript

Ian: Welcome to the Identity in Cybersecurity Podcast! I’m your host, Ian Paterson, and in this episode, I’m speaking with Ed Hammersla, a cybersecurity expert who has had an incredibly wide and diverse body of experience spanning decades—all the way back to the 1970s—that includes big names like IBM, NEC, Linux, and Forcepoint, in both the commercial and government sectors. In this episode, we discuss how computing automation and the internet have changed identity in cybersecurity. Let’s get to it.

Ian: Ed, welcome to the program.

Ed: Thank you—a pleasure to be here.

Ian: So, how did you actually get started in cybersecurity?

One way I’ve heard it described is in the computer industry we started with two trust models and promptly broke both of them.”—Ed

Ed: Well in the mid-nineties, I moved back to the East Coast from California, having lived out there for almost 20 years. And I was given responsibility for a software company that had a federal division. And that was in the early nineties. Although my parents spent some time in the government, I was born and raised in the Maryland area. I hadn’t actually done government work when I was at IBM—at all, I was 100% commercial, manufacturing, hospitality industries and things like that, so I got to learn the federal business.

Ed: I inherited day one some flag officers that worked for me as well as some very experienced federal folks, so I got to learn easily from them. There was a company back then called Knowledgeware, and then ended up taking over Informix Federal and then I took a hiatus from the government business for a little while, went into healthcare with Johnson and Johnson.

Ed: And then I got involved in a company in the early 2000s called Trusted Computer Solutions, but essentially they use trusted operating systems to develop software that allowed intel agencies to share information. And of course, after the tragic events of 9/11, everybody, at least in America became painfully aware of it.

We moved data out of the enterprise to the point now where no self-respecting CIO could say that they know where all their data is anymore.”—Ed

Ed: Intelligence agencies needed to share information in a much more effective way than they had. So, that business started the evolution into a trusted Linux. Building software tools that allow the agency to share information. And that company eventually got acquired by Raytheon back in 2010 so—more directly in government and security since the early nineties but I started in computers in the late 1970s at IBM and what we used to call application software for manufacturing companies.

Ian: How has the industry changed over time? I mean, obviously the hardware and technology has shifted dramatically, particularly in the last 10-20 years. But, what are the big changes that you’ve noticed?

Ed: Well, I mean, unquestionably the biggest change is the internet and how that’s changed essentially everything. The other thing that I’ve observed is that the principle business processes that businesses and government organizations employ were automated, as early as the late 1990s early 2000s. Business processes such as order processing and inventory control and invoicing and all those things, which I believe it or not, at one time were manual or partially manual, all became automated.

Ed: So, there became a little lull in the late 1990s, early 2000s and some devaluations in the market for startups because there was a feeling among investors and others that all the big plays and software are gone! And you know, everything that’s been automated has already been automated—now there are just niches out there. But a few years later, the light went back on and people realized that software eats everything! And the advent of the handheld phone—iPhone or Android, really proved that.

Ed: I’ve heard friends stand up at conferences and say, “Listen, I used to drive around in my car and in the back of my trunk I had a map, a compass, and a flashlight. And of course, that’s all software on my phone now, right?” So that sort of kicked off another round of growth. So I think the ubiquitous nature of software eating everything, the internet, and then the growing business processes that receive automation would probably be the three biggest.

We’ve been scrambling for the last couple decades to retrofit two different environments with security controls and as the facts bear out, we’re maybe slowly gaining, but we’ve been losing for a while.”—Ed

Ian: So, it seems to me that business process automation has had a huge impact on the amount of data that is stored by businesses, and particularly data stored in forms that are more easily accessible, obviously to the business itself, but also to adversaries that want to have access to it. So, I guess with the changing IT structure that have occurred over that time, what have you noticed about the threats to the businesses that have changed during that same time period?

Ed: Well, that’s a great question Ian, one way that I’ve heard it described is in the computer industry we started with two trust models and promptly broke both of them. The first one was what you might call the old mainframe model, where you had one central computer with all our data, all our processes, everything that was important, in one raised-floor, locked environment. The access to that, via dumb terminals. So, in the 1950s and 1960s, if you went in and stole the terminal off someone’s desk, it wasn’t worth anything because all the data was back at the host– you couldn’t access it without the proper credentials, passwords, etc. But of course, the advent of client servers broke the mainframe apart and we moved data out of the enterprise to the point now where no self-respecting CIO could say that they know where all their data is anymore.

Ed: At the same time, the PC launched and came into existence, and as the name implies, initially, it was a personal computer people kept in their dens under lock and key and used it to do their taxes or whatever. But, at the same time, we were moving data out of the mainframe environment to departmental users, we also lashed all the PCs to the internet. So, then we find ourselves in the modern computing environment with really no built-in security controls in either one of those architectures, so we’ve been scrambling for the last couple of decades to retrofit two different environments with security controls and as the facts bear out, we’re maybe slowly gaining, but we’ve been losing for a while.

Not only is there a need to anchor identity into human characteristics, so we know who we’re dealing with, the more we do that, the more we can get rid of cumbersome administrative activities that have crept into our identity segments in the last couple decades.”—Ed

Ian: So, how does digital identity fit into that? It seems like historically we’ve had data that’s been accessible by a few people, simply by the nature of it being physical, then it turned digital and now there’s greater access to it. Now the questions that we’re being faced with is “who’s” accessing that data. Are they the right person? What are your thoughts on access to data today compared to how it was 10 years ago? How does that trend for the next 10 years?

Ed: So, I’m a person that’s been a subscriber to the New Yorker magazine since 1969 and probably some people remember that in 1993 they had a prophetic cartoon in there with a couple of dogs sitting in front of the computer terminal, and one of the dogs says to the other dog “on the internet, nobody knows you’re a dog.”

Ed: I say it was prophetic because in 1993 the internet was sort of a brand new thing, at least to most people. And yet, here we are, 20-something years later. Not only is that still true, but it’s worse now. You don’t even know if it’s a living, breathing mammal! I mean, it could be bots, it could be anything!

Ed: So digital identity, lacking some anchor into human behavior or human reality is a very dangerous thing. And what we see today is all the concern about manipulation of populations and this, that, and the other thing. Basic messaging, because when you see trends happening in social media, you really don’t know if that’s truly a million people or if that’s a small handful of people with a few million bots behind it, right?

Ed: And so digital identity has become extremely unverifiable. And one of the great needs of today’s security environment in the cyber world is to begin to anchor identity back to some human characteristics when possible.

I think threats are ongoing but the ability to be resilient in business turns out to be the number one characteristic that both government and commercial organizations want.”—Ed

Ian: Are you seeing that there are tools or techniques there that are doing a better job than others?

Ed: Well, yes, the kind of technologies that begin to attach identity to a particular human being — so we have greater confidence and assurance that who we’re interacting with online is indeed that person.

Ed: The wonderful thing about these particular technologies is not only do they have the potential to dramatically increase the level of assurance and security for transacting over the internet, but they also add convenience to the user experience, which is very unusual in the security world. In the past, 20 years or so, the more we add security to the internet, typically, the more inconvenient it becomes. —with digital certificates or RSA tokens, or multiple passwords that have to change, long-phrase passwords, right? Not only is there a need to anchor identity into human characteristics so we know who we’re dealing with, the more we do that, the more we can get rid of cumbersome administrative activities that have crept into our identity segments in the last couple decades.

Ian: It’s interesting, we’ve seen quite a bit that—there’s an inherent tradeoff between convenience and security. I think that the other big driver is regulation. You have an increasing number of standards that organizations have to comply with: GDPR is a great example where there was an entirely new class of software created as a result of GDRP coming into effect, even for organizations that didn’t transact in Europe—they still saw this was the coming wave of regulations. In the three drivers in addressing security threats, still enabling business to happen (ie convenience) and complying with regulatory standards or bodies. Do you see that there’s any one that’s superseding the other?

A constant complaint I hear from the CISO community, particularly in the defense and industrial complex, is that “regulations force me to spend money on something I know that if I spent those dollars on something else, I’d create a safer environment for my enterprise.”—Ed

Ed: Probably the resiliency factor, the ability to be able to conduct business in a compromised environment is probably the number one thing. We’re gonna have threats, always. I prefer the healthcare analogy for cyber, which is the notion that “if I as a human being were to say I’d never get sick another day in my life, you wouldn’t believe me, yet businesses say “well, I’m not going to get hacked.” We live in a world full of threats —there’s no end to the creativity and the number of threats coming. A quote I always liked was a former CIO of the FBI said: “we’ve never been able to get rid of crime in the physical world, what makes you think we’ll ever get rid of it in the cyber world?”

Ed: I think threats are ongoing but the ability to be resilient in business turns out to be the number one characteristic that both government and commercial organizations want. Regulations can be a two-edged sword. On one hand, they can be good and allow similar patterns and uses to take place, but there’s the old saying “I love standards, there’s so many to choose from.” The other thing that can be dangerous about regulations is that sometimes they can force organizations to spend money on things that aren’t the most effective use of funds.

Ed: A constant complaint I hear from the CISO community, particularly in the defense and industrial complex, is that “regulations force me to spend money on something I know that if I spent those dollars on something else, I’d create a safer environment for my enterprise.” Compliance is good in some cases, it can be bad, it’s one of those things to watch, but I think the enterprise resiliency and being able to function in a conflicted space is probably the number one thing. User convenience and operation convenience sort of plays into that.

When you say the word scalability in the world of software or security, most people think of volume, number of transactions, number of data points, databases, bandwidth, that sort of thing. Actually, effective scalability also means the ability to manage and administer a large system of users.”—Ed

Ian: So it’s interesting, I think that because of your experience, you’ve actually had a kind of a unique view into seeing what government buyers are looking for as well as commercial buyers. So in your mind, what are the differences that you see between securing digital identity in a government setting versus in a private commercial setting?

Ed: The environments are a little more diverse in government, actually. You have some environments where it’s absolutely critical that identity is maintained, in classified environments etc. and then you have others that are maybe less critical, but you also have scaling and compliance issues that are a little more daunting sometimes than commercial.

Ed: While commercial compliance may be something that’s important, many government agencies have no choice but compliance. The product development teams, product management, teams have to work in conjunction with the government standards makers to make sure the software is being built in a manner that’s consistently compliant with government regulations. And those regulations are often changing, especially in the classified world, there’s a sort of notion in the information assurance industry: “raise the bar”. So there’s a constant desire for government assurance people to make environments more secure in the past, as the threats increase. in both cases, commercial and federal scalability is a big issue.

The problem is that processes in cyber are so dynamic — they change so rapidly and are so unique to each organization and application. It’s very difficult to automate that.”—Ed

Ed: In both cases, commercial and federal, scalability is a big issue. We mentioned convenience, but convenience is a big factor with scalability. When you say the word scalability in the world of software or security, most people think of volume, number of transactions, number of data points, databases, bandwidth, that sort of thing. Actually, effective scalability also means the ability to manage and administer a large system of users. If you have half a million, a million, or 200,000 users on one system, how you administer that, how you update it, how you effectively manage that with a small effective staff instead of enlarging the bureaucracy to do so, becomes really important.

Ian: It’s been quite interesting, particularly with organizations that we’ve been dealing with, the single biggest driver to vendor selection has been around automation. How do you do more with less? How do you actually leverage the technology and not have the technology leverage you?. There’s a requirement for a base-level of staff needed to secure an organization, particularly mid-sized or enterprise. So given that there are over a million cybersecurity jobs left unfilled this year alone, how do you think about cybersecurity hiring for organizations that need talent are having difficulty in getting it in the door? What have you seen that actually works to staff up in a very competitive hiring market?

Some of the security tools, particularly if they have not been maintained and they’ve been in the enterprise for a while, may actually be providing vulnerabilities and attack path for threats.”—Ed

Ed: Yeah, that’s a very interesting question, the classic way the technology industry has dealt with this problem is automation, so that’s having 100 people typing out invoices — you have a computer print them automatically. The problem is that processes in cyber are so dynamic — they change so rapidly and are so unique to each organization and application. It’s very difficult to automate that. I don’t know that anyone seriously thinks that we can get to a level of real automation in cyber, but what we can do is tool it up a bit. And by “tool it up” I mean supply security professionals—CISOs, staff, and others with tools that speed up their ability to react to threats and speed up their ability to manage secure environments.

Ed: So, someday those tools can be linked together to provide some level of automation, but at this time the best thing we can do is look for productivity tools and try to think about eliminating some of the older approaches to security that may actually be lessening our security posture rather than enhancing it. There was a movement a while back—the notion was that we’ve all been brought up to think defense-in-depth and you never want to let go of any security mechanism, but in fact, some of the security tools, particularly if they have not been maintained and they’ve been in the enterprise for a while, may actually be providing vulnerabilities and attack path for threats. So—the ability to audit tools.

Ed: I know the MITRE guys are working a lot on security tool audit positions of saying, “What are the tools you have? Are they really providing security? Are they just providing vulnerabilities for attackers to look at”? So, I think it’s important to take new approaches towards security and this whole identity portion of the security market is one that is really ripe for innovation now. I mean, the username password construct is now probably what, 20-30 years old and hasn’t really changed that much. And I think one can argue that the $9 billion segment of the cybersecurity industry that’s in identity management is mostly built around trying to make the username-ID-password construct more secure. And in fact, biometrics and behavioral biometrics are coming to fruition now and are probably a better kind of technology to begin changing things on.

It’s important to take new approaches towards security and this whole identity portion of the security market is one that is really ripe for innovation now.”—Ed

Ian: So that kind of leads me into more of a tactical question, but if you were thrust into a mid-sized financial institution and you were hired as CISO to help right the ship, what would a 30, 60, 90-day plan look like? What are the key priorities for you that you’d want to investigate in any new organization that you get into?

Ed: One of the first things they’ll look at is the total security spend—especially with regard to tools and technologies. What percentage of that is on traditional perimeter security and what percentage is dedicated to looking at internal neighbor networks that may be already compromised? Let me explain that a little bit, I mentioned the healthcare philosophy, that says it’s pretty hard to keep people out of your network, but once they’re in, it’s easier to find them or prevent them from calling out and doing damage, right? In fact, most big breaches, Sony, OPM and others had 250+ days of dwell time.

Ed: So that means that you’ve got malware on your system now. And every time we go down this path, we get a lot of heads wagging” Yes.” But when you look at the data, the industry still spends upwards of 75-80% of its budgets on perimeter software: firewalls, advanced firewalls, etc. So you need a perimeter, but long gone are the days when you could trust their software to keep you secure. So today, you need equal parts investigating internal networks and their behavior to identify potential malware threats that are already in the system versus the traditional perimeter system stuff.

Ed: The first one is to say, maybe that spin ought to be more around 50/50 instead of 80/20. And then take a look at the perimeter tools and see how many of them have been in there for a long time and are really doing something useful for them versus, how many folks do you have on a CISO staff that are doing nothing but trying to find malware already on the network, and that number is usually a lot less than it should be.

How many folks do you have on a CISO staff that are doing nothing but trying to find malware already on the network, and that number is usually a lot less than it should be.”—Ed

Ian: So Ed, let me ask you one final question and I’ll give you some air cover. You could answer this question either with direct experience or quote heard from a friend, but tell us, what is the highest stress cybersecurity incident that you’ve either been involved with or maybe heard from somebody else? What were some of the lessons learned that you took from that?

Ed: Highest stress security incident? Hmm. The most critical and delicate security issue I’ve been involved with has been in the areas that Trusted Computer Solutions covered during my time there and also while it was part of Raytheon. As I mentioned, that software is used to exchange classified information between different security levels. So the concern for any sort of compromises at that assurance level is very severe, as you can imagine. There is a very robust and very competent effort inside the government and the information assurance community to make sure that those systems are as uncompromisable as possible.

Ed: And interestingly enough, when you’re charged with the responsibility of running a business in that area, but which I was, you wake up every day realizing that if you don’t pass the next internal information assurance tests that the government has, you could literally be out of business, like tomorrow. So, building tools that are under the constant scrutiny of our government information assurance community, turns out to be a pretty stressful environment. When on one hand you’ve got a responsibility to grow a business and supply customers with tools they can use. But on the other hand, you have a responsibility and indeed a requirement to come up with products that pass a series of tests that you know nothing about prior to you passing or not passing the test. So, that was a source of sort of constant reminder that we have to be on our toes at all times.

I’ve been in software since the 1970s like you’ve mentioned, there’s always a trade-off between convenience, ease of use, and security and I would say at least based on my experience, now the window is the narrowest I’ve ever seen.”—Ed

Ed: I’ve been in software since the 1970s like you’ve mentioned, there’s always a trade-off between convenience, ease of use, and security and I would say at least based on my experience, now the window is the narrowest I’ve ever seen. Meaning if I tweaked my tools a little more towards the security window, they would be so expensive and so cumbersome to use they wouldn’t be effective. And if I relaxed my security a little in favor of convenience, I wouldn’t pass the stringent requirements in order to operate in that environment, that’s probably the most on-going challenging environment that I can think of.

Ian: Like a professional tight rope walker.

Ed: Ha! I’ve never used those terms, but it’s pretty accurate.

Ian: Well, Ed I really appreciate your time. Any last words for the CISOs listening on how to better protect their organizations, things that they can put into practice in the next 30 days?

Ed: Well, I’d turned myself inward and l looked at what I already had, and as quickly as I could, I’d move towards anchoring identity into human characteristics to lessen the bots and automated attack vectors.

Ian: Thank you so much for your time.

Ed: Thanks Ian, glad to be here. ■