Accenture Security Blog
Insightful commentary on using security to enable enterprise growth while minimizing risks and defending against sophisticated cyber attacks.
 In building out the cloud infrastructure, many of us in the tech industry hope that the cloud will be open, and that it will offer choice and freedom of movement. But a highly distributed cloud is far from ineveitable. In fact, without a proper trust model the cloud is more likely to take on a centralized and fragmented (think "private cloud") form. In my presentation at the Cloud Identity Summit, I illustrated the relationship between the shape of the cloud and its underlying trust model:
Is it possible to construct a distributed cloud at all? What precendent do we have for creating a trust model that sustains a decentralized infrastructre?
Although the industry's current exercise in cloud computing may seem like a pioneering effort, in fact there are many real-world examples of highly integrated, industrial strength, broadly distributed business networks. Known as "industrial districts," recent studies into their systems of trust offer key insights for developing similar arrangements in the cloud.
I found one such study by Henry Farrell particularly enlightening. His research focuses on the machine manufacturing industry in Balogna, Italy, where nearly every piece of a product is manufactured by a seperate subcontrator. These independent contractors come together on projects rapidly and with only informal agreements. After describing specifics of how these indivdiduals maintain quality, price, and trust, he concludes:
Thus in summary, informal institutions in the Bologna packaging machinery district allowed actors credibly to commit to each other and thus to trust each other enough to maintain relationships that involved a high level of reciprocity and gift exchange. This in turn provided the necessary flexibility to allow firms to subcontract out highly sensitive and important parts of the production process.
Case studies such as this show that it's possible to build trustful distributed systems by rethinking the wheel, rather than by reinventing it. 
In my presentation to CIS a few weeks ago, I discussed the distinction between trust and distrust as strategies for securing online activities. Because some of the material I presented isn't included in the slides (which you can download here), I thought I'd write a few things on this blog to clarify the slideware.
My main point at CIS was that the tech industry (and specificially the online security industry) is overinvested in distrust. Distrust is an approach that casts suspicion on all participants and introduces a "big player" to regulate everyone's actions. This approach has its uses, but is of course problematic.
In contrast, a trustful approach relies on models for multilateral, durable collaborative action. In the trustful model, the participants are empowered to contribute to the management of the relationship.
"Engineering social trust" may sound like a far-fetched or even impossible notion, but a significant body of reasearch and even our day-to-day experiences tells us it's a natural choice for security. I recently came across the work of Jeremy Rifkin, who I think summarizes this idea of instinctual trust very well:
"Recent discoveries in brain science and child development, however, are forcing us to rethink these long-held shibboleths about human nature. Biologists and cognitive neuroscientists are discovering mirror-neurons--the so-called empathy neurons--that allow human beings and other species to feel and experience another's situation as if it were one's own. We are, it appears, the most social of animals and seek intimate participation and companionship with our fellows."
(Quick cross-referece: empathy through mirror-neurons is also central t the theme of John Clippinger's book, A Crowd of One.")
The work of social scientists is to unravel the mysteries of empathy and trust inherent to human behavior. But my call to action at CIS was to incite computer scientists to apply an understanding of instinctual trust to securing the Internet. This is a daunting task, but it's also a field ripe for invention. Is it possible to create trustful relationships on the Internet when most of the actors in that ecosystem aren't even human? or even physical beings? Can corporations, government entities, and rogue applications be brought to engage natural beings through a trust protocol?
I believe it's possible. But unfortunately, our current investment in developing trustful systems is sporatic and poorly focused. I also believe this is about to change. I have it on good authority that Google is working in this space. I've also met with many technologists who are beginning to understand the importance of social trust in computing systems.
Finally, modes of trust and distrust aren't necessarily mutually exclusive. With proper understanding, we can build a security model that uses tools of distrust to create spaces where trust can flourish. But this won't happen by accident. So for my part, I'm pushing the industry to invest in mechanisms for social trust in online activities. The Cloud Identity Summit concluded more than a week ago, but it's not too late to get some of the excellent content. You can download presentation materials at the Cloud Identity website, including my presentation on trust in the cloud.
Over the next few weeks, I'll be blogging on a number of the presentations, so stay tuned!
By:
Walid Negm
The session titles are tinged with cloak and dagger, anarchy and freedom of expression: "We don't need no stinking badges: hacking electronic door access controllers"; "Your ISP and the Government: best friends for ever"; and the intriguing "Practical cell phone spying."
My personal impression of the some-what cult-like DEFCON security conference can be characterized as smart folk instinctively driven to share knowledge and unadulterated research for a greater good. Whether its the protection of civil liberties, revealing stupid security vulnerabilities and flaws of products, or unabashedly calling out vendors on incompetent engineering.
A smattering of speaker comments offers a sneak peak into the topics for this year's conference:
- There is no patch for stupidity
- 15 year device life-time == long tail for bad decisions
- Privacy is a subtle thing
- Software moves power on the grid
- Download games at your own risk
- An attack on any one node of an electric grid could take that entire grid down
- There is no such thing as privacy. It is dead. Get over it.
- What can you do with Twitter that is utterly evil? Lots and lots of things
- There are 155,693 public water systems - serving 286 million American's....
- I don't think you need a sophistical exploit, there will always be a certain number of people that will click "yes" no matter what
- Social engineering has a long history and works just fine on the Internet
I got a healthy dose of Cyberwarefare, a lesson on building my own spy-drone for less than $100 and the latest techniques to easvedrop on a GSM mobile network.
That was interesting. However, something else made me ponder my digital life and seemed to unnerve me the most: how helpless we are to an unrelenting incurrsion of personal data by devices, mobile applications, social networking sites, on-line retailers and every corporation we deal with.
Just the other day I signed up for my healthcare provider's portal and was asked to submit not 4, or 8 security verification questions - but 12. Each intimate question (e.g. what is your first car, name of your best friend etc.), officially meant to help prevent identity theft, is a part of one's life story that is stashed away in a corporate database that is very likely under-defended.
And on a new front, we are quite vulnerable with our newfangled mobile devices and Internet appliances. SANS researchers found that 85 percent of mobile smartphones owners were not scanning their devices for malicious programs.
Of course we don't patch our iPhone or Android smartphones because we assume these devices are trustworthy. Well, they are meant to be smart. Incidentally 543 million such devices were shipped in first half of 2010 according to Gartner. Unfortunately application developers are either incompetant or inadvertantly working with software development kits that are grabbing location information, serial numbers and other data stored in local storage.
It seems we are headed to privacy invasion by a thousand cuts.
Last week, I attended (and presented) at the Cloud Identity Summit in Keystone, CO. It was an outstanding event, with deep content and meaningful discussion. I was glad to see that the subject I spoke on (trust) received so much attention at the conference. There also was a lot of excitement and consensus around OAuth 2.0.
Andre Durand kicked off the conference with a short, but profound introduction. His comments were heartfelt and insightful. Andre said:
"Identity is more than a job for me; it’s a passion. This conference isn’t about making money, I do it because I want us to get identity right.... Few technologies in IT have the potential to impact future generations, quite the same as identity"
Part of his speech felt like a Cliff's Notes version of my presentation (two days later) on social trust, with appeals to the human need for common purpose, shared conflict, and cooperation:
"For those in the industry, making a profit may be our #1 goal , but it can't be our only goal. We are the foundation of a secure digital way of life, and that way of life is under attack. We represent a path to the future where we are free to roam with confidence, and transact with security. My hope is that as an industry, we think how we will balance the power between us as individuals, the entities who on our behalf, power our identities, the enterprises we work for and our governments."
He then went on to issue a challenge to the industry:
I challenge this community to strive for higher than simply profits. Yes, we must build sustainable businesses. Yes we will compete at times. But we must also work together. We cannot scale identity without cooperation, open standards, and a profitable ecosystem.
Admittedly, his challenge is a bit on the altruistic side, particularly considering the people in the room were the technical, not business, leaders of their organizations. But as Andre put it, "We are only 160 people [at the Cloud Identity Summit], but collectively we hold the keys to the future of hundreds of millions."
Well put, Andre! thanks for a great conference!
It was an interesting week in the Identity world. For me the Oracle release of Identity Management 11g overshadowed the Cloud Identity Summit (hopefully Mike will blog shortly about his presentation).
Since Oracle started acquiring Identity companies, I’ve talked about what Oracle might achieve in the I&AM space. 11g is the initial manifestation of that potential.
11g was created for two purposes. First, it is a ground up rewrite of the best of breed, acquired products leveraging the various development standards at Oracle. This means improved usability, performance, and security, as well as quicker time to implementation. Second, it is the embedded security services within Fusion Applications, providing common security components that all future Oracle Applications will leverage. It is this second part that I believe will represent a game changing product.
Too often I&AM projects are focused on integration of various infrastructure components. To really achieve business value, I&AM solutions need to focus on enabling access to the systems that the business value the most. Those systems are the business strategic applications such ERP and Analytics, and their customer facing applications. These are exactly the applications that have been driving Oracle’s requirements.
I got a good preview of the new capabilities and was very impressed. As the remainder of the 11g functionality is released over the next 18 months, I look forward to many successful deployments.
Giddyup. Over the past several years I’ve had the opportunity to be a part of more than a hundred IAM projects. Gathering post mortem information from those projects has provided a wealth of information on the good, bad and ugly of IAM initiatives. What’s remarkable about some of the observations is that they really are true of any complex systems integration project. Yet why is it, after all these years of having these exact points in our Accenture IAM point of view, preaching these points to our practice and our clients, that enterprises still get this wrong? You can summarize the common pitfalls into a single sentence: “Your IAM initiative will fail if you have the wrong people working on the wrong projects, without a coherent strategy or plan, and without management attention or business oversight and involvement.” The other way to state this is the Top 5 common characteristics of a Successful IAM Program. - Senior Sponsorship. IAM Initiatives are big, complicated, transformative, and often controversial. Successful programs have several senior IT and business leaders who are committed to the success of the program. The show that commitment with budget and personal attention.
- Continuous Improvement. IAM is not implementation of a tool, it is improvement of an existing capability. Successful programs operationalize identity around key business metrics to improve capability maturity. Metrics are defined around all of the IAM processes across all systems and resources and identities. A culture of continuous improvement is put in place drive out inefficiencies and improve capabilities.
- Strategic Planning. IAM is a long journey, not a once and done project. Successful IAM programs have a strategic plan and the ability to track progress against that plan and adjust. Key elements of the plan include identification of where you are, where you are going, a business case, a roadmap, the team, your partners, and a process to govern the journey.
- Business Case Focused. IAM can drive significant business value if done right, or waste lots of money if done wrong. Successful programs establish a business case during planning, track business case realization at the program level, and adjust the business case as the business imperatives change.
- Multidisciplinary Talent. IAM talent is scarce and not easy to build. Successful IAM programs invest in assembling and creating talent from a diverse set of backgrounds, including large scale program management, application development, business process reengineering, industry knowledge, IAM product knowledge, security and compliance.
Of course, all of these points, including the last bit, are true of any complex IT initiative. So maybe the most succinct way to summarize this is, “Your I&AM Initiative will succeed if you put your best people on it and treat it like most of your other successful, complex IT initiatives.” Giddyup.
By:
Walid Negm
I've been wondering about the shift in thinking that should be part of a conversation on cyber security.
It came down to one word: messy.
It’s fair to say we live in a world that is rather messy. Russell Ackoff defined "a mess" as "interacting problems or issues that are not easy to appreciate as a whole" (Flood & Carson, 1993). You are in a mess, if you can't put any structure to the situation. So, are most organizations dealing with an unstructured security situation?
Organizations are not closed systems. The Internet is a vexing source of "unknown, unknowns". We depend on software which upon closer inspection, is made up of piece parts whose true source is ambiguous at best. It’s "Office 2.0" for most organizations with employees working from home and dealing with contractors with no sure-fire way for the employer to tell what's good or bad behavior.
It is safe to say, that when it comes right down to it most organizations are dealing with a very messy world.
The exponential growth in volume, speed, and diversity of data, the propagation of devices, and the rise in global threats are forcing the industry to think about messy security problems differently. In particular:
· The correlation analysis that is used to flag a security incident or track an impending threat is still divorced of much needed cause-and-effect accuracy. Visit a security operations center and you'll see plenty of false alerts and difficulty in prioritizing action.
· The tolerance we have to broken links is untenable. To make informed risk-based decisions we need to bring together policies and regulations, cultural expectations, intelligence gathering outcomes and the lessons-learnt from incidents.
· We can't build "naive" systems any more. They need to be "street smart" out of the gate, with the engineering knowledge that intrusions will get through and data will leak.
Maybe the shift in thinking is from “securing an environment” to surviving in an ever changing ecosystem?
By:
Mike Neuenschwander
This is shaping up to be a great conference, both in terms of the speakers at the conference and the quality of attendees. The venue isn't so bad either: Keystone is a ski resort with a base over 9,000 ft. and a summit over 12,000 feet, so you'll be a mile above mile-high stadium. I'm guessing this will make the sea-level speakers (like my good friend Chuck Mortimore from Salesforce) a bit giddy on stage.
This is a great family spot, too. So cancel the staycation and come hang out with us in the clouds of Colorado!
While preparing to launch this blog over the past few months I started regularly reading a number of different blogs. While there were a few that I followed before, I had certainly fallen behind and knew I needed to commit to not just adding to the dialog, but integrating into the conversation. It was nice to see so many friends and colleagues out there in the blogosphere have interesting perspectives and so actively participate. It was also nice to see that Planet Identity seems to have a good aggregation service to make my life easier.
As I was getting caught up on the Identity blogosphere, I realized that there was a clear place to insert into the dialog. Really it’s the same place I interject in all other the dialogs, be that one on one with clients, in various meetings with alliance partners, over over martinis with colleagues in late night intellectual debates. The contribution is generally what I describe as the quintessential Accenture flavor to the Identity discussion. Fundamentally that means we will naturally tend to be:
- Business value led. As the largest systems integrator, all of our solutions need to provide business value for our client. If they don’t then we shouldn’t do them. If our clients still want to implement those solutions, we stand firm and don’t do them. We have to take a long term view with our clients, and our posts should tie back to how clients can get value out of a particular solution.
- Industry focused. Fundamentally, Accenture’s business is aligned around Industry verticals. Our solutions need to be relevant to the industries we serve and you will see a heavy slant towards industry specific conversations in our posts.
- Global in nature. Identity is a global topic and Accenture is a global organization. In our global identity practice we have one point of view (well, we have lots of points of view, but one set of materials we all contribute to), one strategy, one consistent approach. We apply that strategy and approach in each geography we serve. Our posts will cover topics relevant to different geographies.
- Practical. Having an Identity business that includes strategy, delivery and outsourcing requires a level of practicality that others may not be forced to follow. Our clients expect to build what we envision, so they need to be practical solutions that can actually be delivered. Our clients often expect us to run what we implement, so those solutions need to be maintainable over time. Our posts will often focus on practical implementation of solutions.
For those who know me well, you are probably expecting me to convey those thoughts ALL IN CAPS. I’ll try to refrain. Clearly it is time for Accenture to contribute to the public dialog. There has always been an active discussion internally, but the commitment to the blogosphere is purely voluntary, so we shall do our best to keep up.
Giddyup.
Next >>
|
Bill Phelps is an executive director in Accenture's Technology Consulting practice. He has spent more than 20 years in technology se...
|
Jeff Margolies is a Senior Director in the Accenture Technology Consulting Security business. He is the global lead for Identi...
|
Mike Neuenschwander is a Senior Manager in the Accenture Information Security Practice. A recognized thought lead...
|
Walid Negm is a member of Accenture’s Technology Labs where he has global R&D responsibility to help accelerate the adopti...
|
|