A walk to the Fridge; A FIDO2 Story
The What –
I am constantly on the road, and constantly managing a personal brand as well as a commercial purpose, both serving my ultimate mission of helping to protect our collective children’s way of life from a technology, and ultimately likely in every way perspective. I went to pick up my fido2 token from the top of the fridge. Think CAC card in the military, or that RSA 6 digit token your bank shipped you in the 2000s that gave you a new number every 30 seconds. You see, in order to satisfy the conditional access policies, and access the secure SASE edge of my online world, I have to have a physical key along with something I know, and something I am plus meet a host of other very hard to duplicate criterion. This helps immensely reduce some risk with respect to cyber loss. Because of this, I am able to continually reduce the risks of password compromise, and the vectors from which web delivered attacks can occur. This thought made me realize something: I have a reason I would rather be here in a hotel writing this blog, meeting and strategizing with vendors, partners, partners clients, internal stakeholders, external education, self education, and more.
The Why –
I will try to paint a picture:
As we continue to lose this war on cyber security, an ever growing divide of the have’s and the have not’s emerges.
Imagine a fictional world at war, and the battle is happening in a place where 80% of the populous is in tinder stick-mud shelters and the 20% remaining is in hardened bunkers with plenty of rations and city like capabilities and normal daily life. The people in each scenario may have very different lives under active attack.
In our real cyber scenario, the problem isn’t a separation of available resources, it is more one of education and maturation. Modern computer and internet technology was born as a business multiplier, and the thought around malicious use, and abuse of code combined with the connectivity was somewhat unfathomable in the blindness of ever present demand for growth and return on investment. This is not any one’s individual fault, it is the nature of maturation of technologies in history and now.
The Educational Mission –
The question from the owner, or the executive is
“How fast can you have that server / service / wizbang techy thing, up and making our clients happier, more successful?” not
“What are our new risks based on this move and how can we ensure we meet the needs of security and business in a symbiotic way to ensure the private information our clients have shared with us is both appropriate and secure?”
This has to change. There are so many components of raising the tide of the practitioner, the business owner, the partnership, etc. There are equal parts of education inside each above as well as of the very vendors that provide the software that build our digital roads and waterways.
The Provider Professionalism Mission –
My Doctor could cease to be a medical practitioner.
My Attorney could cease to be a legal practitioner.
My CPA could no longer practice accounting.
My technology professional could… well they could continue no matter what.
In every other professional service, we have barriers to entry, educational requirements, apprenticeship in medicine via being in “residency”, because as we have escalating risk to our industry, health, financial and legal systems, we have always had to determine a standard of care and what it takes to meet it.
Similarly, once my doctor becomes a doctor, if that person kills enough patients by failing to honor common medical practices, they will no longer be allowed to practice medicine.
If my Attorney practices bad law or breaks the regulations they can be disbarred.
If my CPA fails to follow the principles of GAAP they can lose license
If my technology professional fails to follow.. wait, there is almost no impact. Today. This. Will. Change.
The point is we have to have a self led, educational combined with apprenticeship model of developing, licensing, and de-licensing our profession. I don’t propose this happens overnight, nor did the journey of any of the above professions. But we have to start working on ensuring a standard of care.
The Vendor accountability Mission –
When businesses creating cutting edge services and technologies at the pace of required ROI, bad products with poor safety records existed.
People burned alive in a sewing factory because the locked the doors; Now we have exit handles on doors at all buildings
Roofs crushed people to death when heavy snow happened; Now we have effective, geographical specific building codes to serve the difference between a hurricane, earthquake, and tornado.
People drowned in molasses in Boston; Inspection of tanks commenced quickly thereafter I would imagine.
I am trying to point out that Cyber Security and Supply chain risk is no different than the Industrial revolution. Similar technology that few want to understand but all want to use. Similar profiteering at the cost of abject risk. Why can we have a bad password with only 4 characters? Why does the vendor charge for advanced single sign on? We built steam engines that blew up, wires that killed people, and then we learned. This is going to start by two classes of people in the vendor land that will prosper –
- The New, Dev/Sec/Ops, modern architected, with a fairly deep understanding of modern PaaS, IaaS, and FaaS (DM Me if you want deeper understanding here) will have a strong chance of having security deep in the DNA and be flexible in architecture for both Vendor Lock In as well as the ever changing threat landscape.
- The Old, well funded, well educated from a board, and security team perspective, ones that acknowledge the sheer broken systems that were build by my first question rather than the second above in the education section. These can start to prioritize re architecting, re investing, reimagining, and re creating their world by using their existing business relationships and profits as momentum to beat category 1.
There will be an eventual death of the other categories in my humble opinion. Through legal attrition, privacy expansion, regulatory, and public trust costs.
While your employees start to move to where they can simply do their work you will face the more agile and secure competitor taking those employees.
I think the TLDR of this section is, there will eventually be no place for ignorance that causes the demolition of our collective world because the market always corrects.
The Consequence –
If the Colonial Pipeline and JBL meat packing attacks and their very minor effort required to accomplish destruction are indications, a concerted threat actor can make our world crumble. They can reconnoiter, plan and execute this attack on 70% of our world quickly through direct attack and supply chain / public infrastructure disruption. We are in the mud houses, and we are happy with that old router in the corner, or server 2003 r2 running our Line of Business software. We are a target made up of the above challenges.
The Hope –
We are in a Renaissance of Security maturity. I truly believe that in my heart. People are understanding the issue and its enormity, people are seeing how security and technology can meet all business requirements and empower business and our personal lives. Providers are becoming more and more operationally capable.
MSPs are starting to blow my mind at how quickly they consume and grow in the security space. In a recent article I saw companies worse off with patching levels than those supported by MSPs trends forming. Clients are asking security. Clients are allowing security people (Maybe with beards…) to speak at their own revenue kick offs and educating their own employees. We are starting to see technology as what Chris Hoose taught me it was 12 years ago. It is an investment that enables business, not an expense.
The combining forces as well as adoption of risk aggregators that understand their security mission will deliver security and technical capabilities at scale. Providers such as Microsoft, Google, Amazon AWS, IaaS, GreenCloud, Dropsuite, and hundreds more will and are better every day at this. These providers can deliver the operational and contextual components of security in partnership with technology and security professionals. They can and will meet education and professionalism growth requirements to make business ever more amazing, our lives ever more secure, and deliver on what every human wants to do when they put on their work boots in the morning; to have a good life with more sunshine than rain, to find love, and to provide for and love our other humans and pets.
Thanks for reading my thoughts.
Matt
