Authenticate Identity Before You Connect – Message Delivered at RSA 2019

BlackRidge Technology was delighted to exhibit at our first RSA Conference; a premier venue for any cutting-edge security company, but likely out of reach for those small and growing like us. Our friends at OATH made the improbable possible by providing us with kiosk space in a high-traffic zone full of great conversations. Thanks, OATH!

Having attended 12 of the last 13 RSA Conferences, I’m a good judge of quality interactions and novel value props. As Forbes contributor Sam Curry observed 2019’s conference felt undeniably commercial. Perhaps because breaches with loss, waste, and damage have become so commonplace and the risks so enumerable, what was once a conclave for the paranoid is now a giant group therapy session for the business. And the paranoid have been proven right.

Our message needs to be heard, which is why our team was so delighted to exhibit. Authenticate Identity

Not every company can claim to have fixed a key Internet flaw, but we did it 9 years ago. You’re only now learning this because our primary focus heretofore has been U.S. defense institutions and the public sector. Ironically, that’s where the problem began. In the days of ARPANET and its creation of the protocol suite known colloquially as TCP/IP, trust was implicit. If you were on the network, surely you belonged there. Two distant US Military researchers collaborating on ARPANET had no reason to doubt the identity of the other.

Cut to the 1990s with the explosion of the World Wide Web and the “Internet”; the implicit trust model of TCP crashed ashore in the relentless wave of commercial adoption. Nobody bothered to fix it because we were all too busy capitalizing on it. Left with TCP’s inherent connect-before-authenticating identity paradigm, whole categories of security products emerged to retrofit the Internet. This array of address-focused technologies lives (and lumbers) on today. “Which address(es) should we allow, and which ports? Which should we disallow? Are some address ranges associated with known risky geographies (aka Internet Xenophobia)?” What a morass.

Visitors to our kiosk, whose misfortune it was to engage me before being passed into far more capable hands, came socratically to realize that addresses are not identity and cannot even reliably substitute for identity. Address-based solutions were never the answer to the problem.

    “What’s the name of someone you know very well?” Address is not an identity
    “­­­­________."
    “What’s the IP address on ______’s mobile phone?”
    “I don’t know.”
    “Why would you?”

This one question and its answer disavows the relevance of addresses to ascertain identity. Why is it, then, that $billions are spent on address-based security products?

We at BlackRidge don’t know, either. Nor can we understand capitulation to the inevitability of breaches. Admitting defeat in this way results in wasteful spending in every company; threat hunting, firewall rules updates, redirection, obfuscation. None of this makes anyone (save vendors) any money. This mindset I call, “Lose Less.” Myriad companies are peddling fear, hoping customers will spend with them to stem losses.

“Lose Less” sells, for sure. What about “Make More”? Who’s pitching that?

People engaging BlackRidge learn that immutable cryptographic identity - asserted and validated before machines connect – is the right way to define access among people, devices, and applications. It’s the way to throw a permanent block to the bad guys they can’t even see coming. Why wait to respond to what they do, hoping at best to cut losses? Why not try something that renders them moot?

We conversed with folks from all corners pining for something fresh. We shared our approach to zero trust environments, called First Packet Authentication™. We articulated our IIoT solution that gives identity to any device (robots, conveyor belts, transformers, CT-Scanners, etc.) We streamed live proof that no one in the universe could connect to our wide-open AWS server. People were impressed, and many of them stayed longer than most show visitors might ordinarily. Some even asked to meet later. One new partner engaged our thinkers on-site and walked us into an opportunity the very next day. This stuff is compelling. We offer businesses the world over the chance to control the game; to gain ground, instead of merely holding it. Let us know if you’re ready to move from reacting to controlling. We’re not afraid of “them” and neither should you be.