The pandemic fundamentally changed the architecture of cyber security— now organizations must adapt to survive and eventually thrive
By Dr. Chase Cunningham Ph.D
Imagine a wall with a gate. The gate allows you to monitor and decide who you let inside the wall. It’s somewhat effective at achieving these ends. Some people climb over, some tunnel under, and some fake their way inside with stolen access credentials. Improbably, some allegedly managed to get inside one of these walls hidden in a big wooden horse. It happened in Troy, remember that?
Troy was our first proof of failure of a perimeter-based security model, and it happened in 1184 B.C. We have known for a long time, over a millenia, that this model is doomed to fail. Yet when it came to protecting digital assets, all we did was take a failed physical approach, digitized it, and expected to do better than the Trojans. Wow, were we wrong.
If I labor this point, it’s because the digital walls we have built now have thousands of gates: one for every employee, one for every employee device — maybe even one for every cloud application. Working from home during the global pandemic turned the wall into a sieve, everywhere, all at once, that operates at the speed of light (literally).
The wall has fallen and isn’t coming back. It’s not simply that hybrid work environments blew it up, it’s that the rapid pace of digitalization makes it impossible to rebuild. The expansion, every day, of digital services and e-commerce shows that we, collectively, want the convenience, efficiency, and opportunity of a more digitized life. Businesses require speed and dynamism, users want security and ease of use anywhere at any time, and global connectivity demands that we interoperate and optimize now, not later.
The sooner we realize that we need some “post-wall” thinking about security, the sooner we’ll be able to deal with the exponential growth in attacks on company and organizational infrastructure. If we accept that we are now living in a digitalized society, we need to start by acknowledging some new ground rules:
- People are not going to magically become security experts. You can train your workforce to be cyber aware, but all it takes is one person to click on a malicious link for your company to be phished. Training may reduce the odds, but not to zero. That we see phishing attacks work over and over again demands that we accept human nature as it is and not how we’d like it to be..
- People will seek the most convenient process. We are energy misers. The course of action most likely to be taken will be the one that requires the least amount of effort. So, while various forms of multi-factor authentication may increase security, they also increase cognitive burden and annoyance. We have to make security simple—a part of the architecture.
- Employees are not going to want to submit their personal devices for securitization. Putting security and surveillance software on all the devices your employee is likely to interact with is going to be challenging and likely impossible, for practical, privacy -related, and political reasons. People don’t want their employers to have access to and control of their personal mobile devices.
- We already have physical means of verifying and validating “who” a person is and “what” they are trying to do (ever boarded an aircraft since 9/11?). We should be able to apply that same methodology and metric into today’s digitized systems and not make people suffer through a network-enabled TSA.
What then is the answer
If the wall has been dissolved or, at the very least, rendered useless by a thousand gates, then everything must be verified everywhere continuously because the gates are now everywhere. And the only way to do this easily, effectively, and inexpensively is through using solutions like verifiable credentials coupled with a security technology stack that removes friction while increasing adoption and use. This is applied to the user and doesn’t rely on them to adopt any additional solutions.
Verifiable credentials make trust in identity and data portable, because the process of creating a verifiable credential means that the integrity of the transaction and the integrity of any information that transaction contains is guaranteed by a combination of decentralized identifiers, decentralized ledgers, cryptographic signatures, and biometric interfaces with mobile devices. To put it simply, using verifiable credentials means we know the “who” and “what” and are able to validate that there is a reason for an action to occur. We don’t just allow a connection because of a username and password —and we don’t enable default connectivity because a firewall rule says “allow all”.
These technologies allow trust to be triangulated between the issuer of a credential, the entity holding the credential, and the validator verifying the credential. And when the integrity of a verifiable credential is verified, the information associated with it is immediately actionable.
A critical feature of decentralized identity is that it enables the separation of form from content. It’s the form in which digital information is held that makes the information verifiable. This has huge implications: It removes the need to store critical data or personally identifiable information in a centralized database as part of the verification process as the nature of that validation triangulation is distributed from the start. All data is tied to its owner and shared in privacy-preserving ways over uniquely encrypted communications channels.
A verifiable credential replaces a login and password, and verification is instant and device agnostic. There is no “one ring to rule them all” that is the single point of failure in this model. If we take other security technologies and apply them to build out the security posture of the entities tied to that validated and verified credential, the rising tide of a better security position does finally raise all ships.
As the perimeter defenses of a billion digital entities dissolve, we can see online interaction as a much more open environment where information can move much more freely; that’s what the internet is for. It was designed for that very purpose, it was not built to be secure. But with today’s technologies applied in innovative but natural ways, we can operate in a secure and optimized manner. The only way to make this digital reality work is to accept that the old security architecture failed all of us and is never coming back. Thankfully.
The way we get better is to accept that reality and build our future to look the way that the internet was meant to operate. Distributed, diverse, adaptable, dynamic, and integrated with our physical selves.