Retiring this blog

Photo by Ethan Ou on Unsplash

This is being written a few years too late. Then again, I don't think too many people read blogs like this the way we all used to.

It's been a great run here on this blog. As time has moved on, so has the way people consume information, and my area of focus. While I do still get involved with Identity & Access Management (IAM) matters, it's only a portion of what I spend time doing.

So I'm leaving all my previous posts here for posterity, and am officially retiring this blog.

The starting of this blog actually coincided with my move from Sydney to London. As an indirect result, the best part of blogging here has been getting to know the other people in the IAM blogosphere all over the world, from Europe, where I was based and most prolific in my writing, across to North America. I even got to meet and interview the then President of Oracle, Charles Phillips.

Blogging gave me access to speak with people internationally for professional reasons, which was not something I had before being just a few years into my infosec career and having my community be very localised to Sydney, Australia.

Thank you to all the other bloggers I've had the privilege of interacting with over the years, and to all of you for reading and commenting.

Nowadays, you can still find me writing on a multitude of different platforms including LinkedIn, Medium, and other official media publications.

For the most updated set of links to where I may be posting things, check out ianyip.com or follow me on my social media accounts (LinkedIn, Twitter).

Invisible Identity

Photo source: Michael Shaheen - My Name Was Michael & The Rest Is History

In my previous post, I promised to explain the following:

Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.

If you've been to any of Disney's theme parks recently, you may have noticed they now have something called the MagicBand. It cost them a lot of money. Disney calls it "magic". The technology powering the MagicBand infrastructure was complicated to build, but they've done it and have the increased revenue to show for it. They've also managed to turn what is effectively a security device into a new revenue stream by making people pay for them, including charging a premium for versions that have Disney characters on them.

While it does many things, arguably the key benefit of the MagicBand is in delighting Disney's customers by providing seamless, friction-less, surprising experiences without being creepy. For example, when you walk up to a restaurant, you can be greeted by name. You will then be told to take a seat anywhere. Shortly after, your pre-ordered meal will be brought to you wherever you chose to sit, just like magic. If you understand technology, you can inherently figure out how this might work. But the key in all this is the trust that the consumer places in the company. Without the trust, Disney steps over the "creepy" line.

How does Disney ensure trust? Through security of course. Sure, the brand plays a part, but we've all lost trust in a supposedly trusted brand before because they screwed up their security.

The key pieces of that security? Identity proofing, authentication, access control and privacy, none of which is possible without a functional, secure identity layer.

Conveniently (for me), Ian Glazer recently delivered 2 presentations that go into a little more depth around the points I'd otherwise have to laboriously make:

1. Stop treating your customers like your employees
2. Identity is having its TCP/IP Moment

If you have some time, do yourself and favour and follow those links - you might just learn something :)

What Disney has managed to achieve within their closed walls is exactly what every organisation trying to do something with omni-channel and wearables would like to achieve. Disney is a poster child for what is possible through an identity-enabled platform, particularly in bringing value to the business through increased revenue and customer satisfaction. Identity truly is the enabler for Disney's MagicBand.

The reason it works is because no one notices the identity layer. Not every organisation will be able to achieve everything Disney has managed, but even going part of the way is worth the effort. Only by ensuring the identity layer is there, can you really make it invisible.

Until people stop noticing the identity layer, you need to keep working on it. Only then will the business see the full potential and value that identity brings to increasing revenue.

Identity needs to disappear

Photo source: Paul Chapman - The disappearing machine

In recent years, security vendors, including ones that don't sell Identity & Access Management (IAM) products, have been pontificating about how identity needs to be the focus for all things security. They (my current and previous employers included) continue to be on-message, each beating everyone to death with their own version; identity-centric-security, identity-powered-security, identity-defined-security, identity-is-the-perimeter, identity-is-the-foundation, identity-is-the-intelligence, and on and on.

Yeah, we get it. Identity is VERY important. Enough already.

The problem with rolling out the same message for years is that people stop listening. It's like the age old line in press releases: "the market leader in"; sure you and every other vendor out there. The market leader. Yeah, right.

Ok, so I'm being a little cynical. But the fact that as an industry, we've had to go all broken-record on this means:

1. We've not been very effective in explaining what we mean. AND/OR
2. No one gives a crap.

The truth is probably a combination of the two.

From the 10,000 foot marketing message, we have a habit of diving too deep too quickly, skipping the middle ground and heading straight into explaining, debating and architecting how everything needs to hang together. For example: "You need to federate between the identity provider and service providers using standards like SAML, OAuth or OpenID while maintaining a translatable credential that can be trusted between partner domains. Which OAuth do you mean? 1.0? 2.0? Can't we just go with OpenID Connect? Doesn't that cover the use cases? We're effectively supporting OAuth right?"

Errr, yeah. Sure. Hey, architect person, I'm not entirely sure what all that means, but we do that, right? And why do we do that again?

We often explain the "why should we care" answer by saying "you need security because you do, and identity is the key". And therein lies the problem. The "why should we care" question is difficult to answer in a meaningful, tangible way.

In addition, the reasons tied purely to security and risk no longer resonate. It's arguable that they ever did at all, but we could always pull out the audit, risk and compliance stick to metaphorically beat people with (oops, did I say that out loud).

Today, we often pull out the data-loss card. But we can do better:

Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.

I'll explain in the next post.

Update: The next post is up.

Hey security managers, go hire some marketing people for your team

This is not a plea for organisations to start actively hiring people away from vendor product marketing teams. But if you want to look for people to point the finger at and explain why you aren't getting the budget required to actually secure your environment, product marketing is a good place to start.

There were 2 key messages attendees should have taken away from the Gartner Security & Risk Management Summit in Sydney a few weeks ago:

1. Security priorities tend to be set based on the threat du jour and audit findings.
2. Security teams need to get better at marketing.

Here's the problem:

1. Sensationalist headlines sell stories, which attracts more advertisers. This means the threat du jour will get the most airtime.
2. People who hold the keys to budgets read headlines, which perpetuates the problem.
3. Product marketing teams know this. So, to get more inbound traffic to their websites, the content creation and PR teams craft "stories" and "messages" around the threat du jour.
4. Publications notice that vendor messages are in line with their stories, which fuels the hype.

It's like how seeing something on fire makes us think about checking whether our insurance covers fire damage. Meanwhile, the front gate's been broken for the past week but we've left it alone because no one's stolen anything from the house yet.

How can an internal marketing campaign driven by the security team help? You won't be able to stop the hype that builds up around the threat du jour. But as an internal team, you should know what the organisation you work for really cares about in business terms. Take audit findings as an example. While rather boring, translate audit findings into tangible, financial implications for the business and you suddenly have something worth talking about as an overall program instead of a checkbox to tick (which is unfortunately how a lot of internal security budgets get signed off).

As a starting point, take a look at my tongue-in-cheek post about contributed articles. While laced with sarcasm, the structure of my "meaningless contributed article" template works (because it's a structure many are subconsciously used to) if the content holds up. Ensure you have the following points covered:

• Detail the industry trends that are affecting the organisation.
• What are independent sources (both internally and externally) saying about them?
• Why should the business care (don't use technical terms)?
• Outline some meaningful metrics (an interesting metric does not necessarily mean it's useful - ask yourself if anyone in the organisation will care).
• What does it mean in financial terms for the business if something is not done?
• What have other organisations done to solve the problem?
• What are the steps the organisation you work for need to take and what are the benefits (again, don't use technical terms)?

The mistake many of us make is in thinking marketing is easy; it's not. And it takes good marketing to sell security internally. Crafting an article can help hone in on what really matters and justify budget allocation, which makes it easier to ignore the noise.

Great marketing focuses on what matters by simplifying the messages and communicating the value, be it emotional or financial. This is what most security teams do not know how to do, which is why budgets are not allocated to fix that lock on the front gate. Instead, budgets are spent on fire insurance.

I know this is ironic coming from me as I work for a security vendor. But if security teams hired marketers to communicate the things that matter to an organisation's security instead of the threat du jour, we as an industry will benefit from it.

As an aside, ever notice how many security companies have the word "fire" in their name?

How to spot a meaningless contributed article

What is a contributed article? They're the ones where the author works for a vendor or solution provider and not the publication. In other words, their day job is not as a journalist. I'm speaking from first hand experience as I've written a number for various publications and understand the process.

Contributed articles do not typically involve any form of payment. When they do, reputable publications will disclose this fact. More commonly, they are freely given to a publication based on a brief that was provided. For example, a publication may say they are interested in a contributed article about a new smartphone's features and the implications on digital security. A vendor's marketing and public relations team will then work with a subject matter expert (SME) on crafting such an article for submission. Of course, if the SME isn't really one, then nothing will save the article.

Naturally, the process results in content of varying quality. The worst ones are typically not written by the individual, but ghost-written by someone else (usually without sufficient domain expertise). The vendor spokesperson/SME simply gets the byline. These end up sounding generic and the reader learns nothing.

More commonly, the resulting article is an equal and collaborative effort between everyone involved. While this is marginally better, it still sounds unauthentic, somewhat generic and provides little value. Why? They keyword here is "equal". The SME needs to be the main contributor instead of simply providing their equal share of input.

The best contributed articles are the ones written by someone:

1. With the necessary domain expertise.
2. That knows how to write.
3. That has the time to do it.
4. Willing to allow an editor/reviewer to run their virtual red pens through it without getting offended.
5. That is not blatantly trying to sell something.

Unfortunately, contributed articles tend to be mediocre or just terrible and that is a real shame, because there are lots of really smart people that could produce great content (with some help and editing) if they weren't under corporate pressure to be 100% "on message". The art of course, is to be "on message" subtly while still being able to contribute to the conversation in a meaningful way.

So how do you spot a meaningless contributed article? They usually look like this...

Meaningless headline that was put here for click-baiting purposes

You know that issue that's been in the news this week? And that other bit of similar news from last week? Oh, and those other countless ones from the past few months? They're only going to get worse because of buzzword 1, buzzword 2 and buzzword 3. Oh, don't forget about buzzword 4.

That large analyst firm, their biggest competitor and that other one that tries really hard to be heard all agree. Here's some meaningless statistic and a bunch of percentages from these analyst firms that prove what I'm saying in the previous paragraph is right. I'm adding some independent viewpoints here people, so it's not just about what I'm saying, even though it is.

So what to do about all this? You should be really worried about solving the problem you may or may not have had but now that I've pointed it out, you definitely have it. You aren't sure? Well, then listen to this.

Here's an anecdote I may or may not have made up about some organisation that shall remain nameless but is in a relevant industry relating to what I'm trying to sell you, oh wait, that I'm providing advice on because you've got this really big issue that you're trying to solve but just don't know you need to solve it yet but will do once you've read this.

So how do you solve your problem? Well, the company I work for happens to have a solution for this problem that you've now got. I won't be so blatant as to tell you this, but you will no doubt look me or my company up that search engine thing and see what we do and put it all together and then contact our sales team who will then sell it to you so I can get paid.

Here is another anecdote I may or may not have made up about how an organisation has solved the issues I've so clearly laid out for you that can so easily be solved, as shown by this very real (or fictitious, nameless) organisation.

My word-limit is almost up so I'll tell you what I've already told you but just in a slightly different way. In conclusion, you're screwed unless you solve this really generic issue with the silver bullet that organisation x used. So, buy my stuff.

I'm not saying every article with these characteristics is terrible. But very often, the "I have a hammer to sell, so everything is a nail" articles are structured this way. They are generic and leave the reader with the feeling that they just read a bunch of random words. I for one, stop reading an article when it starts to smell like this.

Note:
For the record, I NEVER allowed my articles to be ghost-written, much to the frustration of the people managing the whole process. The problem this introduced was that content could not be churned out as quickly because I became the bottleneck. I wouldn't even agree to have someone else start the article for me. I had to start it from scratch and have final approval on it (once my drafts were run past a set of editors and reviewers of course). This made for more authentic, balanced content while still maintaining some level of being "on message", which kept marketing happy.

Doing business in Asia: five etiquette tips

I contributed a piece in Australian BRW late last month that had nothing to do with IT Security, but I thought this may be of interest to those of you out there new to doing business with Asia and would like somewhere to start.

It's quite general, but large mainstream publications want content that will appeal to the masses, not niche pieces that few people will care about. So, if you're an expert on Asia, none of what I've written will be new.

Here's a teaser:

"Business etiquette in western countries is similar enough that we get away with most things. The little quirks are normally overlooked or forgiven, using the “not from around here” explanation. Asia however, is a slightly different animal."

Check out the full article on BRW. 

RSA Conference 2014 redux

If you follow me on Twitter, you probably noticed a heightened volume of Tweets from me during the RSA Conference in San Francisco. It was great catching up with many of you based stateside that I rarely get to see in person. I was also fortunate enough to be allowed to attend sessions and live-Tweeted the ones that were interesting. Therefore, I'm not going to regurgitate/organise my Tweets into thoughts here. I will however, highlight a few key points that I felt were important.

NSA, NSA, Snowden, NSA

This was an RSA conference where everyone was talking about the NSA. First, there were the well-publicised boycotts from speakers. Then came the competing conference. Then there were the protesters. RSA Chairman Art Coviello opened the conference and addressed it up front (right after William Shatner's song and dance). Stephen Colbert closed the conference with an NSA-heavy keynote (incidentally, he was hilarious). And in a show of courage or stupidity depending on your perspective, the NSA even had a booth on the expo floor.

There were many stories written about this during the conference, so just use your search engine of choice. But if you don't feel like searching, check out the New York Times' Nicole Perlroth and her blog post detailing some of the NSA-focused activities. My Tweet stream was also relatively NSA-heavy, so go check that out too.

Damage control

There were many US Government speakers from various departments and they all had one thing in common: they were in damage control mode. Essentially, it boiled down to these points:

1. We assumed everyone knew we do the whole electronic surveillance thing. We didn't know it would be such a big deal and we're sorry, but we have to do it. And by the way, better it be the US Government than some foreign hostile nation. They're all just pissed that we're so much better at it than everyone else.
2. We must work on collecting only what we need instead of absolutely everything. But if you've ever tried to do this, you know it's easier to collect everything instead of being selective.
3. We, the US Government, want to work more closely and cooperatively with US companies on making the Internet, technology and the real world safer for all.

Encryption

How do we make life more difficult for governments to spy on us? Encryption. Sure, governments have quantum computers working at cracking encryption measures, but they really don't like having to do it. It was a topic of discussion during the cryptographer's panel and made in relation to the NSA. Bruce Schneier has mentioned it on many occasions and reiterated his sentiments during his session at the conference.

I said it in my IT security predictions for 2014 and I've mentioned it on television.

Start with encryption. It won't fix all your security issues, but it's a good start and a good countermeasure for issues beyond the NSA and government spying.

Privileged user controls

Despite the fact that Snowden's been the poster child for the fact that privileged users can do a lot of damage, there wasn't a great deal of noise (compared to the NSA and government spying), except in sessions relating to industrial control systems. In every session I attended where industrial control systems were a topic of interest, privileged users came up as a primary focus area. Often, industrial control systems are tied to users directories (usually Active Directory) and most attacks simply aim to compromise an account within the directory. Once compromised, an attacker will escalate privileges until they have sufficient access. In other words, the more "administrative" the account, the quicker the compromise. In short, at the very least, organisations must secure and monitor privileged accounts in directories and operating systems.

Internet of Things (IoT)

You didn't need to attend the conference to know IoT is big in 2014. While I don't believe many are doing anything in terms of IoT, I don't discount the fact everyone wants to talk about it. It became clear in listening to some IoT-focused sessions that the biggest challenge in securing the IoT at the moment lies with the ignorance and complacency in the manufacturing process, particularly with device manufacturers.

Far too many do not implement (or care about) basic security practices in delivering a product. Many use default settings, which are often insecure. In addition, they often reuse the same insecure software components in updated versions. Beyond this, there is difficulty patching existing devices, particularly in trying to figure out how to do this without user intervention. We can't even get this right for existing computing devices. How are we expected to get it right for devices with in-built computers most are not aware of and cannot access easily through a usable interface? This is why it's relatively easy to hack cars.