Back in 2013, I opened my ‘Hitchhikers Guide to Identity’ talk with the following slide.
As an industry, we’ve come a long way since then. Multi-factor Authentication is mainstream, as is Paul Madsen’s t-shirt contest at CIS. Most companies are no longer debating whether their security can be entrusted to cloud-based solutions, as IDaaS solutions gain traction across all kinds of enterprises. SAML isn’t dead yet, and Blockchain is getting a lot of attention for reasons that are still fuzzy to me, but OpenID Connect and FIDO continue to evolve along paths that could have tremendous impact on the security landscape.
But despite all these gains, the internet is still broken (and I don’t mean that in a Kim Kardashian “break the internet” way). The internet still doesn’t have an identity layer, which means the security of the internet is still inverted – we have to let people/services/bots/x come inside our digital domains first and connect before we can attempt to verify who they are and whether they’re allowed to be there. This “connect, then authenticate” approach was workable in the old days, but the de-perimeterization of the enterprise in the cloud and mobile era has greatly expanded the attack surface, a fact that hackers exploit all the time, to great effect.
And let’s talk about that “authenticate” part. Consider this typical scenario: someone registering for an account to access an online service they need (could be banking, shopping, entertainment, anything). The first phase would be that person registering for access – in essence, establishing an identity with the service provider. This registration flow could be as simple as her registering with a social identity (at a recruitment site, for instance), or as hard as her providing multiple pieces of privileged information as part of a rigorous identity proofing process (at an online bank, for instance). At the end of either flow, her service-specific identity gets established along with some authentication credentials (often just a username and password; maybe a second factor added on if she’s lucky). Those credentials are then used to re-establish her connection with the service from that point on, no matter what device she uses, no matter when or where she connects from.
What that means is that after sending her through a strong identity proofing process (like in the banking example above), part of what came out of it is a weak authentication credential. The strength and rigor of those credentials have nothing at all to do with the strength and rigor of the process that was used to establish them. In other words, there is absolutely no correlation between the assurance of the identity and the assurance of the authentication. We simply cannot solve our security woes without addressing this mismatch.
These foundational problems are why phishing, man-in-the-middle and DNS manipulation attacks still defeat our security controls, despite all the advances we have made. We’ve been saying that “identity is the new perimeter” for a few years now, but have we really delivered on that? The opportunity to address these foundational gaps using some innovative approaches to identity-based security is why I am joining Uniken today.
Uniken‘s core technology solves a problem we’ve had for a while – how to distribute encryption keys in a user-friendly and manageable way at massive scale – using some really cool math. Uniken’s product set uses that core technology to deliver solutions that address the foundational problems I described above by creating an identity-based perimeter at scale. This means we can secure your consumer-facing mobile apps using a strong identity that is unbreakably linked to the combination of person, device and app. That identity is used to secure the data at rest on the device and also create a mutually authenticated, secure (VPN-like) tunnel from the app to the service – all done without the user even knowing that it’s all happening behind the scenes. Stolen credentials are rendered harmless, the communication channel is impervious to man-in-the-middle attacks, and the user experience is simple and painless. Uniken’s unique approach to delivering the software defined perimeter built using identity allows your services to go dark, operating in a white-list mode where they only accept connections from authenticated identities. Services are therefore able to transition to an “authenticate, then connect” model, which is radically better as we’re now talking preventive security as opposed to detective security. Furthermore, the solution is privacy preserving because it doesn’t depend on user surveillance or data sharing with fraud networks. Those that know me will know how important that is to me.
Think of the possibilities this opens up to change the security game we’ve been playing, essentially with one hand tied behind our backs. That’s what is really exciting to me about this opportunity. For years I’ve been talking about how we could use identity to truly revolutionize the way we provide security to our customers and make it more human for people. Now, I get to drive that vision into products that can help make it a reality. It’s exciting, I can’t wait to get started, and I look forward to sharing more details about the technology, its benefits, and our vision with all of you in the coming weeks and months.