By Bob Graham, CEO and co-founder
Steve Case, the founder of AOL, recently published an op-ed in the Wall Street Journal, where he commented on the evolution of the internet. It got me thinking about security in these waves of the internet. Here’s what Steve had to say:
“The First Wave was about building the Internet. Companies such as AOL created the underlying infrastructure and brought America (and the rest of the world) online. This phase peaked around 2000, setting the stage for the Second Wave, which has been about building apps and services on top of the Internet.”
“Now the Third Wave has begun. Over the next decade and beyond, the Internet will rapidly become ubiquitous, integrated into our everyday lives, often in invisible ways. This will challenge industries such as health care, education, financial services, energy and transportation—which collectively represent more than half the U.S. economy.”
So What Does This Mean for Security?
During, the first two waves of the internet we always had a way back if something went wrong, especially in the financial sector. Your bank branch was still there, however, with no one on either side of the desk. Retailers still had the ability to use cash. Your doctor had a batch of paper files in his office with your health history. You repair man didn’t have a Square credit card reader yet, and so on. We are now at the tipping point. We are at the point at which the old infrastructure is no longer there, or if you are in some third world countries, you skipped the infrastructure stage all together. For the third wave there is no going back!
Security and the Internet
Case’s definition is a good way to think about the internet and the related security issues that we are facing. Security in the first wave was all about firewalls, identification and authentication systems, and some monitoring. If things went south you could buy a printed newspaper or go to the bar and talk to your friends instead of chatting on line. If your on-line bank account was hacked it was only for a few thousand dollars, not the 10’s of millions recently stolen from a Federal Reserve Bank.
Security in the second wave has been about next generation firewalls, behavioral analytics and multifactor authentication, with some encryption thrown in for good measure. This is when the bad guys started winning. The architecture of the internet is open and accessible and was never designed to support the types of transactions and data we are now using. This is indicated by the failure of security products and companies to deliver reliable cyber security. They have mostly focused on after the fact detection “Hey, you have been robbed” types of security. Security companies came and went as they failed to solve the problems of the internet. How messy things have become are is also indicated by how easy it has been for governments and bad guys to use the internet to their advantage. Think, Russia, NSA, China and others if you need examples.
Security in the Third Wave, Needs to be Different
So here’s the problem; the Internet was designed to run in the open. It sets up a session between a user and a server and by extension, the application before any data about the user is transferred. Similar to the telephone before caller ID; let me tell you all about myself and then I’ll ask who you are. The Internet then transfers the data, or as we say, runs at the application layer, in the open or with encryption in a limited number of use cases, and blasts out to anyone listening what you are transacting. As if you opened the front door, let them in and then see if they steal anything.
Mobile Was Not Open Like the Internet Until Now
For most of the first wave, mobile did not count. It lived in its own world with its own technology. In the second wave it began to play in an important way, and one of the leaders has been Apple. The one company that does not believe in open anything! All closed. Apple has taught us a lesson, but also this has aggravated the security issue. A closed system works, but once you leave the tower and enter the internet you are as vulnerable as the next guy. Apple is trying to create end-to-end security through encryption and tokens - this is part of the solution once the traffic leaves the closed mobile environment but not the total solution.
Mobile Shows Us How to Make Security in the Third Wave Happen
The Internet is open but the session connection must be secured, authenticated and encrypted and trusted end-to-end. Yes, mobile is taking the first step with end-to-end encryption and the use of tokens to shield key data like credit cards and such. HTTP2 with TLS is another step in the right direction, however it is not enough. We are still only dealing with the application layer once we are in the Internet and out of the mobile environment, Internet we may still be totally open.
The Third Wave is All About the Bad Guys!
The bad guys are everywhere and we will not get rid of them! Encrypting malware and transmitting it is worse than sending it through an open Internet, where at least you can see it. Firewalls can’t see encrypted data and they have to make guesses as to what the application is doing. This may have been doable at 1GbE, but at 10GbE and 40GbE it starts to get hard and at 100GbE it is almost impossible. And this assumes you have some decryption capability and time to do pattern recognition.
What Does a Perfect Bad Guy Infested Internet Look Like?
1. Applications are isolated from the operating system
Why? Because you have to assume the platform is compromised. There are ways today to do this and it has to happen fast. For example, running on a known instance of a secure operating system or operating in a canister that is destroyed after use. Think Docker, Bromium, and others.
2. Lots of cloud-based analytics
The firewall folks are moving in the right direction - telling a firewall that an endpoint is in trouble via the cloud is good but not good enough! Vendors are installing endpoint based software that communicates the health of the endpoint to the cloud in hopes that the cloud can intercept a compromised session at the firewall or somewhere else. This will not work in high speed networks.
3. Identity is used at the transport layer
We had that once, in the beginning, it was called IPV4 with no Network Address Translation. Not anymore, even with IPV6. Mobile, virtual machines, and the Internet of Things, have all made relying on Internet addresses useless. Just like relying on a fake caller ID when answering a call.
Further, as network speeds and feeds accelerate the endpoint to cloud to firewall feedback loop becomes less and less useful.
4. All data in motion is encrypted in your infrastructure
I used to be a storage guy so I am going to make a plug for the last piece of the puzzle. Once you have run that application in the secure canister, don’t have it talk to the storage device unencrypted. Encrypt data on the fly in that last step and keep it that way.
How to Really Secure the Third Wave
We need to use and authenticate an endpoint’s identity in the Internet transport layer before a “call is answered” which is on the first packet. This is the only way to change the picture from “Oops! I’ve been robbed” to: “Secure Caller ID” for the Internet. This means I am not answering unless I know you, and I am certainly not going to talk to you unless I know all about you. Then we need to tie the identity of the incoming traffic from the endpoint to a strong encryption process, and use a secure canister or platform and do it all on the fly.
This allows the server to understand that you have been authenticated; you are the right application, you are connecting to the correct cloud portal, etc., before the sever or cloud accepts the connection. Then the application can decrypt and use all your usual tools to understand if the data is safe. This needs to be done at the server or cloud level, and not in network level. Pulling the security solution out of the network and towards the application and cloud improves the chain of trust.
Summary - An End-to-End Chain of Trust to Secure the Third Wave
What we need in the industry is create an end-to-end “Chain of Trust” between the device, user, server and application, which includes the data. This will allow trusted operations in an untrusted, bad guy infested Internet.