BCS Multimedia Editor Justin Richards interviews Paul Simmonds, CEO, Global Identity Foundation, about the best ways of safeguarding data, security and the internet of things, security training, about his past work with the Jericho Forum, and his ongoing work with the GIF.

Can you provide a bit of history about yourself?

I’ve been doing information security for longer than I care to remember! I’ve been Global Security Manager for Motorola, Global Chief Information Security Officer for ICI and CISO for AstraZeneca; and along the way I also co-foundered the Jericho Forum.

Can you clarify what it is that the Jericho Forum does or did?

Did - it doesn’t exist now. The Jericho Forum was founded in 2002 to basically highlight the fact that the world was rapidly going deperimeterized and that firewalls were ineffectual security boundaries. At that point, in 2002, there was a huge disparity between what the industry was offering us - they were trying to sell us bigger, more expensive, de-packet inspection firewalls to shore up our borders - and what our businesses - the global 100 - were doing was trying to operate outside those boundaries with joint ventures and talking directly to customers with B2B and B2C, and the firewalls were getting in the way.

And we were buying more and more laptops as corporates, and gradually our data was going right outside our firewalls, and the firewalls were basically becoming irrelevant. So Jericho’s mission was to highlight this thing called deperimeterization. And, along the way, we did a number of interesting things, including asking what all this will mean, such as doing computing outside of our borders, which the industry eventually caught up with now and calls Cloud Computing.

The final work that Jericho did - as a think tank of global CISOs - was to do two bits of analysis. Firstly, asking how you manage data in an environment that you don’t control; it could be cloud, it could be BYOD; it could be lots of other things. And secondly, how do you manage identity in a mixed environment, rather than one that you control? We can do a reasonable job if we own what we call the “locus-of-control” - in other words, if I own it all - typically called ‘Active Directory’, then I can make identity sort of work, for me and only me. But I can’t share it, and actually businesses require you to share it because we’re going deperimeterized. So how do we get from where we are with Identity to where we need to be?

But Jericho always said it was going to be a one issue party, all about deperimeterization, and after ten years we’ve shut it down, as we said we were going to do. Now the industry agrees with us, and says as much, so it was time to shut up shop and go home. Job done!

Were do you think we are now in regard to cloud security - are we there yet?

We’re never ‘there’, but we’re in a much better place than we were. There are some good tools and technologies out there, many on the (Infosecurity Europe) show floor, to deal with many of the issues. Jericho was always one to say if someone else is doing it, and doing it well, we’ll either partner with them, which is what we did with the Cloud Security Alliance. When we did the work ourselves to consider how do you “manage data in an environment you don’t control” we felt we had some bits and pieces to say on this, but there’s some really good work going on.

For example, IBM were doing some good work on Homomorphic Encryption, while companies like CipherCloud, who were on the show floor, were also doing some good work in this space; so the question was what should Jericho add? We needed to say a few things, in the area of direction setting and how the big picture should all fit together, but we’re not going to do anything major.

Whereas on the identity front, we thought that no one was really looking at this properly; it’s horribly broken, it’s a terrible mess, the bad guys are taking us for billions of dollars, on a yearly basis and, actually, it desperately needs fixing. And the reason it’s not being fixed is because fundamentally what we’re doing is wrong. So that was Jericho’s final bit of work and that actually spun out into what is now the Global Identity Foundation (GIF).

What’s the remit behind GIF and how’s it going?

It’s been going reasonably well so far; it’s been running as a website and think-tank since post Jericho days and it has now got to the point where we have looked at how we take it to the next step. How do we get manufacturers in over the next year and a half to two years’ time to actually build the beta ‘stuff’ so that we can start doing interoperability trials and, in order to do that, what form does the organisation need to take?

So six months ago we took the decision that it needs to be a global not-for-profit foundation, and committed to the fact that everything we do will be published and open source and a vendor neutral environment such that the likes of Cisco and Huawei can sit down around the same table, which they wouldn’t otherwise do along with others like Google and Microsoft, Alibaba and eBay too.

We need to do Identity once and do it properly; you can still put your secret sauce on the back end of it and all the value add that goes with it. In fact there are huge opportunities for new businesses based on the back of all of this, but fundamentally the identity ecosystem - that we’re calling ‘Identity 3.0’ - needs to be common and needs to be open source; we all need to do it the same way, so that we can trust each other. So you are authoritative about this bit of information about someone or something, (because ultimately it’s not just about people, it’s about entities) then how do you trust it? The answer is the only source you’re going to trust is the authoritative source.

For example; you might be asked: are you a British citizen? So who’s the authoritative source for that - it’s easy, it’s the UK Government. I don’t want to go elsewhere for that assertion, I want it to come from and be signed off by the UK Government. There are only 350 countries that issue passports so it’s a very short list to verify against.

So do you see yourselves as a more neutral source of best practice advice on security matters then?

It’s more than being about best practice advice. If it was only about that we’d have stayed as the Jericho Forum. It really is about taking it to the next level. Getting people to sit around the same table and saying, right, what are you going to build? And we’re going to build it once and properly. We’re not going to build it, because the whole beauty of the Identity 3.0 concept is that it is a 100% decentralised infrastructure. You don’t require a central body at the heart of it. You don’t require a CA of last resort; you don’t require a revocation authority anywhere in the system. So people can build the stuff for which they’re authoritative and that’s all they have to build and they can then consume from everywhere else. So this is a virtuous circle from that point of view. I do the bits for which I’m authoritative and I leverage the bits for which you’re authoritative.

What are your thoughts on the best way ahead when it comes to safeguarding data within the NHS?

It’s essentially what it says on the back of the GIF T-shirt. ‘Primacy’ is the: ‘am I in control of my information’; ‘Agency’ represents: ‘am I able to dictate who is able to be an agent on my behalf’, and obviously ‘global’ and ‘open’ are fairly self explanatory. This is why we thought we’d put it all on the T - shirt. But the concept, from a NHS point of view, is “it’s my data”, and ultimately, and “I want to be in control”.

Let me give you a slightly wackier example from an NHS point of view... Let’s say I’ve got a heart problem - I haven’t thankfully - so I’ve got a pace-maker and it’s an intelligent pace-maker so it does whatever intelligent pace-makers do these days; it’s an internet of things device effectively. It’s going to be internet connected so that when I’m in my house it can be monitored and it’s feeding information back, but ultimately it’s my pace-maker, controlling my heart, and it’s keeping me alive... therefore ‘primacy’ - I want to be in control of it. I want to be able to say, actually, all these people within the NHS, probably anyone within the NHS, can read the information from my pace-maker, but the only person who can tweak (write to it) it is my cardiologist. And that’s ‘agency’ at work.

In other words I am in control of who is acting as an agent on my behalf, so I can allow for all these different people within the NHS to be able to ‘read’ what’s going on, but do I really want my doctor tweaking my pace-maker - no - I only want my cardiologist to be able to do that, thank you very much! So ‘agency’ is really key and it’s how you put trust into the system... that I trust the NHS to have what I say they can have.

And we had huge debates when we wrote the original Jericho stuff about where does that extend to and we came to the conclusion that if my decision is that no one can read that pace-maker or whatever, and as a result I die, then that’s my choice; the same way that Jehovah’s Witnesses don’t allow for blood transfusions. Hence, just in the same way that a Jehovah’s Witness might wear a med-band that says: ‘no blood transfusions’, so even if they are involved in a serious road accident, medics have to respect their wishes, even if it means they’ll die, I should have that choice too - that’s ‘primacy’ at work. They’ve made an informed choice and if that’s the consequences of their action, then so be it. And, if I decide that only my cardiologist can tweak it and I’m flat out unconscious, and they can’t get hold of him/her, then, tough.

You’ve mentioned trust and openness there, which is a major factor within any security situation. We’ve also heard about transparency being a good way to gain trust, but the problem with making things too transparent is that it becomes transparent to not only those who wish to protect us, but also to those who wish to infiltrate a product, unit or organisation to do us harm. So how do we get around that?

Trust and Risk are heavily related; in particular trust is bi-directional. Having a mono-direction trust relationship is the wrong way we’ve being doing doing Identity 1.0 and, to a certain extent, Identity 2.0. Identity 1.0 is based on Sixties mainframe concepts, where the mainframe is god and, if you’re lucky enough, you might be deemed worthy to have an account on this mainframe. I’m just about old enough to remember that. That was the concept. And we’ve gone on that way ever since, where risk and trust are a one-way thing. If you’re lucky enough the computer trusts you.

What you need to understand is that this whole identity and risk thing is bi-directional. Any transaction is bi-directional. It’s asymmetric. Hence, if I’m doing a financial transaction, for example, ultimately the bank is going to cover my losses and therefore they are the ones taking the bigger risk. But I want to know that I’m on a genuine site because they could be a ‘spoof’ or a ‘man in the middle’ attack or whatever that’s going on, so how do we provide the trust? The risk from the bank’s point of view, is that I really am Paul Simmonds, that I am on a device that is clean, I am geolocated where the bank thinks I should be geolocated, and they’re going to feed in a whole bunch of other stuff into that equation which says: ‘he’s trying to do a transaction that he’s tried to do 50 times before’, rather than: ‘he’s now trying to transfer £30,000 into a Russian bank’!

So we do a load of identity stuff with a whole load of entities involved (entities are either people, devices, organisations, code or agents) - the device entity, the person entity at the end of it etc, we trust the device, we trust the code, we trust the geolocation code on his GPS is running in the trust zone on the chip, rather than outside, because one is better than the other; it’s just part of that risk equation.

So the banks are doing a whole load of risk calculations to say: ‘we think this is within our risk tolerance and within our risk appetite and we’re going to let the transaction go ahead’. On the other hand, I want to make sure that I’m actually talking to my bank and I’m not talking to someone who’s trying to spoof me or is sending me emails purporting to be from my bank, but isn’t really my bank. The way we solve this is by understanding all the entities involved in the transaction and because what backs this up invisibly to the user is a whole load of crypto that’s invisibly going on in the background.

So in this new world; I’ve got a banking persona, which is a digital cryptographic join between me and my bank, which gives me some new (unique) crypto. That now does two things - it allows me to authenticate to the bank because only I could assert cryptographically that that’s my persona, but conversely when I log onto the bank, because again there’s crypto involved in creating that persona, I can verify that that persona matches the banking website. So now we’ve got bidirectional trust; all enabled by the fact that we’ve created this banking persona, so I’m happy it really is the bank; and the same goes for email. However, wouldn’t it be nice, as well as the banking site going green when an identity match is made, that your ‘from email’ address could also go green too, once the crypto signatures have validated, thus ensuring it’s genuinely from that entity.

What are your thoughts regarding the internet of things and how we can make it more secure?

Again, very simply, it’s all part of the same model. So if you think about this concept of personas, which is just a join between two entities, here I’ve got a device entity - say a Philips light bulb. So the challenge is how do I bring it home and make it my Phillips light bulb so that I can operate it and you can’t? And the way to do that is through this ‘persona’ concept. So I come home and I say: ‘right, we initialise the light bulb, and we create a persona for the light bulb, in this case, probably not ‘Paul Simmonds’s light bulb’, we’d probably do it via a second persona (because this is a tree structure), so I would have an organisation that I’d create called ‘Simmonds family’ and that has people in it, which are my family, and again that’s just an entity, and one of the key things is that entity types need to be interchangeable; we don’t care if it’s a person or organisation, or whatever it is, you can do joins wherever you like.

So one the bulb is home and has been initialised so then I need to create a persona for the light bulb. So I want a join between: ‘device light bulb’ and ‘organisation Simmonds family’, so now this is the ‘Simmonds family light bulb’. Automatically in the background Simmonds family members are ‘Okayed’ to use the bulb. So if my son picks up his phone, the phone asks who has just picked it up, and ‘oh, Mathew’s just picked me up, fine, Mathew is a member of Simmonds family; thus he can (send a command to) control the light bulb’, so the light bulb, which has a very simple rule to allow any member of the Simmonds family to control it, will comply.

So now you’ve got a really simple join between two entities and a stupidly simple ruling that says any member of the Simmonds family may control this light bulb, but with a common Identity framework the assertions happen in the background - Joe Public do not need to do anything new. But unless you can assert in the background - an assertion that says: ‘member of Symonds family’ the light bulb says: ‘get lost’!

Some have said that mobile security is the new security background. What are your thoughts on that?

Again this model works beautifully for ‘bring your own device’ because you have a device - which is an entity type. So I have my device, and let’s imagine we have a ‘bring your own device’ policy; so therefore it has a persona called ‘Paul Simmonds’ laptop’ - so join of device and  Paul Simmonds - hence I’m now the owner of this laptop and then I can join that to wherever I want to.

I can put various persona cryptographic blobs on there, load them up such that if I had my E-mail on there, my E-mail store is automatically encrypting with Paul Simmonds’ keys, so my email is secure. But let’s say I wanted to use it for corporate use; when I enrolled in the corporation on day one, I’d get a corporate persona, a join of ‘organisation AstraZeneca’ and ‘person Paul Simmonds’, now I can take that corporate persona onto my ‘bring your own device’ laptop, and it now encrypts my corporate email with that corporate persona.

So I’ve now got two email stores on my laptop, one which is encrypted with my persona and another which is encrypted with my corporate persona and as long as I’m using the device then that’s absolutely fine, it just works and I can see both sets of email. If my wife uses it, it lets her see my email - probably because it’s a career limiting move not to let her see my email - but it doesn’t let her see my corporate email because that’s Paul Simmonds’ corporate email. The company can set the rules for their email, and I set the rules for mine, this is ‘primacy’ at work.

When I leave AstraZeneca I can’t assert anymore to that blob of crypto to unlock it that I am a current member of staff at AstraZeneca and therefore the data might still be on my machine, but it’s totally encrypted and I can’t access it because I now can’t assert that I’m a ‘current member of AstraZeneca staff’. So now the email can by distributed all over the world to various people’s ‘bring your own devices’, but the instant they leave the company then it’s useless.

What would you say is the biggest threat to corporate architecture at the moment?

Currently it’s the inability to do anything other than basic authentication. At the moment at corporation level we log onto Active Directory and we take the ‘might be Paul Simmonds’ using username and invariably weak password, (depending on who it is, all capable of being sniffed, hacked or guessed, and reused, because you are probably using the same password on 15 other sites).

So you’re taking this authentication that ‘might be Paul Simmonds’ and Active Directory when you log onto it, says: oh, yeah, legitimate user, legitimate password, thank you very much, this is Paul Simmonds, guaranteed. The IT department have now validated that that variable ‘might be Paul Simmonds is Paul Simmonds and it now passes that ‘Is Paul Simmonds, Guaranteed’ onto 60,000 servers within your company. And their only choice is to take that verbatim; they can apply no further risk controls. I mean it might be just accessing what’s on the menu this Thursday in the canteen or what are we going to issue as our corporate results to the city next Friday morning. There’s no concept of risk and context once you’re inside, because the computer says: ‘yes’, another drawback of the perimeterised mentality.

Are we in a good place at the moment when it comes to training staff with regard to security awareness or do you think we’re severely lacking that training in general?

Ultimately it is severely lacking. But I think the real problem we have is that the bad guys are getting so good at what they do. Actually a lot of the time you’re wasting your time because the technology isn’t there to back you up. I’m a security nerd at heart, but I’m also an optimist and I believe we still stand a chance of fixing it.

Let me give you an example. When I was the CISO for ICI (which no longer exists) we had a small viral outbreak on some of our machines and it was a very clever virus which sent spoof emails to try and get people to click on links. It looked at the domain it was in, and it stripped the domain ICI.com. Thus ICI is the organisation - now let’s mail merge that to a virus that we email out. It emailed stuff out on your behalf, from your machine. The template then read that: ‘the ICI security team wishes you to know that we have this problem, please click on this link, which will take you to this link: ‘ICI help desk’, and you can reset your password’, and everything else. That was the concept.

However, ICI was all upper case, but the spoofers had only capitalised the first letter, so if it had been Motorola it would have worked perfectly because it would have just capitalised the M and it would have looked perfect. But in the case of ICI it didn’t because it wasn’t fully capitalised - so you could tell. The same week the real ICI help-desk sent out an ‘all company’ broadcast and the security team got more calls asking about what the hot-desk sent out, which was genuine, than they did about the actual virus. And there’s your problem. The bad guys, when they are good, are getting really good. And that’s even before you get onto targeted attacks! That was a trivial mail merge attack.

So yes, we need to educate people about being careful, and better than we do at the moment, about general security within the organisation, and we need to tell them to be cautious, how to spot spoofs and to be as cynical as we all are, but the problem is that the ‘good guys’ often do themselves no favours in what they send out.

My daughter came to me saying that Nationwide had just sent her an email and she wanted to know if it was genuine. I looked at the email, and at the underlying raw code, and what the email said, and I could not tell whether it was fraudulent or otherwise. It didn’t help that Nationwide chose send their mail from a (different) hyphenated version of their domain name, which is what I’d do if I was spoofing them! Their method of confirming that it’s genuine is to say they’ll include my postcode in the e-mail, but this is information that is easy to get from a number of vendor sites legitimately or otherwise.

Do you think that the ‘good guys’ are winning or are we just about drawing even with the ‘bad guys’?

No, we’re losing badly, and it’s getting worse. We are getting better, but the ‘bad guys’ are getting “better” faster so the gap is widening, which is why we need to do something to address this. If we keep on doing the same thing that we’re doing today we are going to keep losing at a bigger rate. So the real question out there is: what are we going to do differently, which is the reason why I’m involved with the global Identity Foundation.

Probably 90 per cent of all the stuff that the ‘bad guys’ are getting away with have an identity-related root cause. When you strip back what they manage to do, it’s down to the fact that they’ve managed to exploit the identity, whether it’s by stealing passwords, hacking front ends, sending phishing emails or sending malicious code, (which itself has identity).

We think that with regard to Identity 3.0, if it’s promoted properly, and we get the industry behind it, and we are all working together to get it done, just once and properly, then actually we can put an enormous dent in what the ‘bad guys’ are doing; and I mean a really enormous dent.