Build Upon 3 Pillars of TrustHow to Secure Systems with a Foundation of Identity, Privacy and Security
This is the premise of Mike Ozburn, Principal at Booz Allen Hamilton, which has just authored a new white paper about these pillars, which are:
In an exclusive interview about the three pillars and how organizations can build their systems around them, Ozburn discusses:
- Key elements of the 3 pillars;
- Hard and soft benefits to be realized;
- The roadmap from here to there - and speedbumps to watch for along the way.
Ozburn works within the Information Technology team with a special focus on developing solutions for Civil agencies and Commercial enterprises. He is a leader in the Firm's efforts to develop Web 3.0 Trusted Service solutions based on Identity, Trust Management, Data Sharing, and CyberSecurity.
Ozburn has broad experience in the fields of Telecommunications and Technology. Most recently he has been actively engaged in the development of the emerging trust layer for the Internet, including the U.S. Government's adoption of Trust Frameworks. He is a long-time participant in the open identity community and serves on the boards of the OpenID Foundation, The Information Card Foundation and the Open Identity Exchange.
Before joining Booz Allen Hamilton, Ozburn had broad managerial experience across the hardware, software, and Internet service industries. He has had high impact roles for large public companies such as MCI and General Instrument, where he led the development of the SurfBoard cable modem. He later served as Chief Information Officer at Nextel, prior to its acquisition by Sprint, and pioneered the introduction of the Wireless Web with the first U.S. introduction of web browsers for cell phones. He served as CEO and President of Bridgewater Systems and, before joining Booz Allen, he led several smaller startups in the evolving field of social networks, social publishing and identity-based services for consumers. TOM FIELD: If you can, how about you tell us a little bit about yourself, your role with Booz Allen Hamilton and your work around this topic we're going to discuss today.
MIKE OZBURN: Sure. As you said, I'm a principal at Booz Allen Hamilton. I lead our efforts in what we call trust service, particularly with respect to some of the recent government changes, including the adoption of what they call the trust framework and the national strategy for trusted identities in cyberspace that was announced in January. I sit on a variety of industry boards, having been in this space for the last four or five years. I'm on the Information Card Foundation, a board member on the Open Identity Foundation and the Open Identity Exchange.
The 3 PillarsFIELD: Well, Mike, you produced a white paper that's called "The 3 Pillars of Trust," and the opening premise there is that the internet is insufficiently secure to support today's evolving business needs. Why don't you discuss that premise? Why is the internet insufficiently secure today?
OZBURN: A lot of people in the mid-90s didn't think the internet was ever really going to catch on, but it's clearly unsurpassed in its ability to drive down the cost of computing, and so that's why more and more services are moving to the web. Then, as most people know, there is a big push now to move into cloud-type services, whether that's social networks or services like Twitter or other kind of consumer-based services. The internet is also unsurpassed in its ability to open up new markets, which is why we've seen a global expansion and why again services moved first to the web and then moved to mobile devices, which as late as 1999, 2000 most people never thought you would ever do email on the cell phone.
But I think with all the positives and strengths of the internet, one of the greatest problems is that the architecture itself -- the thing that has allowed it to grow so rapidly -- there is no core basis for identifying the parties that are engaged in the transactions online, and therefore there is no native way to secure those transactions or to really enable people to trust the services that they're taking advantage of. And we see more and more reports of that in the last three or four years, whether you consider that to be problems of identity theft or issues such as the WikiLeaks problems that have been in the newspaper recently. So with all the power and all the strength of the internet, clearly it's going to be the core of what supports our economy and our society going forward, but what becomes really important now is we put more and more service requirements on it, and then we have the ability to put back in place that missing infrastructure for trust.
FIELD: So, Mike, to play devil's advocate: If I'm an organization that hasn't been affected by identity theft or information leakage, I come back and say the internet has worked fine for my business -- so what if it's insufficiently secure? How do you respond to that?
OZBURN: Well, I think what you would look to -- and this is particularly the case, say, with the federal government or with the government in Great Britain -- is that most organizations even if they are doing some things online, there are many things that they are not doing online, or there are many places where their online service performance is not as great as it could be. And that could range from -- I think the last retail statistic I saw is that even in 2011, with as much ecommerce going on, still some 30 to 40% of transactions are abandoned at some point before there is a fulfillment of that trust because people have forgotten their password or because they've gone into some problem ... associated with this lack of a secure infrastructure. And so I think in most instances for companies who say 'Everything is just fine with me,' what you would find is a great many areas where their operating costs are higher than they would need to be because they're not doing things online, but they really could if they had a secure infrastructure, or because they're not being as effective in their own line of transactions because their users, their consumers are not finding it as convenient as they would like to find it, or where the user is not sharing information that is important to the service provider because that user is worried about the privacy of that information or how that data would be controlled or shared. So all those issues, all those operational issues, are really the implicit problems of the lack of that secure trustworthy infrastructure that is just not there today.
Pillar 1: IdentityFIELD: Well, that's a good perspective. Let's talk about these three pillars of trust now. We'll take them in order and talk about what they are and what their key elements are in working together to form these pillars you discussed. The first one is identity. Tell us about that.
OZBURN: Sure. They all three are important, and what they really reflect is the need to be able to operate in an online environment in the same way that we as human beings innately operate in the physical world. So if I was going to come and engage with you as the service provider, even if you were my neighbor and I came to borrow a power tool from you, the first thing that we both would want to know is, well, who are we dealing with? And the fancy word for that is identity, right? And that's both the authentication - 'Have I ever seen you before? Do I have some context in knowing that you really are the person that you purport to be?' -- and then some sort of authorization. 'Have I ever borrowed a tool from you before? Did I return it? Did I return it in a good fashion, or was it broken?' So, all those nuanced aspects that, from a technical perspective we would call identity components or attributes of our identity, those all come into play in our physical world. They come into play in the digital world as well, and until recently there really have been insufficient frameworks to positively identify [users], and therefore that's one of the biggest problems that we have online is that absence of identity.
Pillar #2: PrivacyFIELD: The second pillar is privacy. What can you tell us about that, Mike?
OZBURN: Well, I think privacy follows right along. So, as I go to engage with you or engage with people online, all of us interact in a particular context in the services that we take advantage of. I think the ... simplest explanation I use for privacy is that it's the information that I care about as a user. So, I want to be sure that when I tell you something about me or something about my family or my economy condition or where I live or things of that nature, I want to be very sure that you're using that information in a proper way. And the aspects of privacy are very rich because in some instances that same piece of information that would allow you to make things more convenient for me is the piece of information that I'm happy for you to use, but I would not want you to share with somebody else. So all those considerations about how does the service provider take care of the information that I care about most from a personal perspective -- those considerations are all wrapped up in this notion of privacy.
Pillar #3: SecurityFIELD: So, the final pillar is security ,and as you know often security and privacy get confused for one another. How do you distinguish security among these pillars?
OZBURN: At a layman's level, I treat it in the following way. Privacy is information that I care about. Security is everything else that you as the service provider really need to be responsible for, and that can range from the way that you internally protect that information with the systems that you have to protect against insider threat or the systems you have to protect from people coming in from the outside, and they extend all the way over to the service environment upon which you offer that service. So, if you've created an iPhone app or an app that's going to run on my Droid device, then your responsibility for security needs to extend all the way out to that device, so that in whatever service context I'm participating as a user I can feel confident that that's a secure transaction and you've done what's necessary to protect it on an end-to-end basis.
Making the CaseFIELD: Well, Mike, that's a good overview of the pillars, and let's say that I'm a security leader and I'm sold on this concept of building around the pillars, and I'm going to make this business case now. What are the hard and soft benefits of the three pillars that I'm going to take to my senior management, my board, to get their support?
OZBURN: Well, I think the hard benefits easily always come down to money, cost savings that you're going to be able to enjoy because you've moved to an architecture that fundamentally supports security at the very core transactional level. So, if you just compare the situation as you move services to the cloud, you're actually going to incur more expenses tomorrow in that cloud-type environment than you had today because you have a different environment, you have to have different controls and different security infrastructures you're going to have to take into account.
Likewise when you move things to a mobile environment, that's one more silo of activity than in the traditional way you have to build a silo of protection or security around that.
So as you offer more services in more ways as you interconnect more and more service architectures, your cost of security actually increase. Your risks actually increase. If you instead look at that and you build those on a core foundation of what we call the trust architecture, so that you can positively identify the user from the authentication and authorization perspective, and you can deliver that transaction in a secure environment ...you actually see a cost reduction on a transactional level because now your security infrastructure scales in the same way that your service offerings scale. So, from a hard benefits perspective it basically boils down to a lower cost of operation both because I can move more services online and get the basic operational cost of doing it online versus doing it in person or in a friction order type fashion. I also have a cost reduction in the way that my overall risk management posture has been improved because I can positively identify the individuals that I am dealing with, and I can interact in transactions that are secure at that transactional level, and I can also see operational benefits. And maybe in some instances that would be considered soft benefits, but whether that's if you're in enterprise revenue increase because you're now able to interact more frequently with your users, whether you're able to fulfill more transactions and say you can manage more and more service offerings that you have out there. Or from a government perspective where you now are just more successful in your mission than you were before, whether that is a matter for the Internal Revenue Service being able to more efficiently deal with the hundreds of millions of people that want to file their taxes online and would like to follow up and interact online in ways that they can't do today.
The Road MapFIELD: So let's talk about how we get from here to there. What would you say the road map is?
OZBURN: I think the key to it is really to recognize this is not a technology issue, and I think that's sometimes the hardest things for enterprises and for government agencies. If you mention the word "digital" or if you mention the word "online," immediately they think this is a technology problem, and it's really not. The technology that we're talking about that would allow us to implement these things, whether it's a digital credential that we can take advantage of or a biometric a piece of biometric information, an iris scan or a voice print or a facial something that can be used from a facial recognition perspective -- all that technology is well developed and is well standardized now across the economy and the different platforms and different service providers that can provide those kind of tools. It really boils down to an issue of how do you want to interact with the user? And so I think the road map begins with people that are in that kind of responsible position to see a strategic opportunity or a strategic requirement to be able to provide services in ways that they haven't done before, whether that's just at lower cost, which is a big issue now across governments in the United States or in the UK as an example.
The UK -I've mentioned it twice, and it's really interesting. Last fall they actually put in place a program they call digital by default, and their approach is that by 2012 they want to have 100% of their citizens with online capabilities, and they want to move 30% of all their service interactions online simply because they need to find lower costs to provide services. So regardless of where you sit in your organization, the key first step on that road map is to recognize that you now have the ability to offer services today in 2011 that you could not have offered online the same way in 2009 and to make the affirmative decision to begin down that path to define the types of services that you want to offer and then build them upon those three pillars of identity, privacy and security.
FIELD: So to stick with the analogy of a road map or a trip what are some of the speed bumps an organization might encounter along the way?
OZBURN: I think the biggest ones are always, as I said, the organizational prejudice to think of these things as complicated or as things that the technology guys are going to go handle in the basement of some other building that is far, far away from any kind of personal or human being interactions. I think that's a big problem because what happens in that situation is that you don't sort of step back and focus on the real environment in which you're trying to succeed. And as I said many, many times in a world of smartphones and social networks, everything is interconnected. So this old sort of architectural approach of saying that I'm going to offer one service online and building a little silo of protection around that service in trying to control that silo that just doesn't work anymore when all those silos need to be interconnected ,and you have hundreds and hundreds of millions of people who have already taken steps to empower themselves, whether that's through a cellphone or whether that's through some sort of social network environment in which they already are willing to operate. So I think the roadblocks, the problem areas, really come from organizations that for whatever reason are having a hard time taking a fresh look at this environment and looking at the big problems that they are trying to solve in the real world situation in which they're going to be operating where they are and their users are already online.
Their users are already interacting with certain service providers with a far greater level of interaction than in many cases the government agency is offering or even an enterprise might be offering. So I think the key to the road map is to make an affirmative decision that this is a new day, that we are in a new environment, as the UK says, where things should be digital by default, where we should be able to allow the user to have a greater level of control, recognizing that when they have greater control they're going to offer a greater level of interaction which is we're all in the business of service providers. And the roadblocks are really all the things that would cause people to say 'Oh, we've tried that before' or 'That can't work' or to just refuse to recognize the environment which we finds ourselves today.
FIELD: Well you've made a compelling case for what needs to happen. I guess my question is: What's the compelling reason to do it now in 2011?
OZBURN: Well, I think a lot of it comes from that critical mass. The tipping point that many people referenced over the last several years -- I think there is a lot to be said for that. In my past life, I was a CIO at a cellphone company, and we put browsers on cell phones in 1999, and the only thing that was clear then was that no one would ever do email on a cellphone. Now we live in a world where you know teenagers and children that are younger have cellphones, and they're constantly on Twitter or they're chatting or they're sending emails. And so our environment is very, very different. So that's point #1. There are hundreds and millions of people that are already powered.
I think point #2 is that there is a positive and a negative to that environment. I think many governments have recognized the fact that we built this entire infrastructure on top of an architecture that has no native ability to be secured or to allow people to trust it is a real problem, and a lot of people refer to that as the cyber threat problem. So whether you look at the WikiLeaks initial problem of people getting digital information and sharing it on the internet, or whether you didn't get bothered by that, but you get bothered by the retribution that came back against companies that were trying to defend against that which resulted in the kind of digital attacks on the Visa and MasterCard networks and things of that nature ...it's clear that with as many of us relying on the internet for all the things that we do. we need to make it sincere, and that's clear in 2011 in ways that it never was before.
And I think conversely if you look at it from a positive perspective, as we look at improving healthcare, improving the delivery of public services, there is no way that we are going to be able to do that in a physical or paper-based way. So, from a healthcare perspective, if it turns out that every American for example needs to ensure that they have the right type of healthcare, to file that information in the kind of regular course of business it's much more like doing the census every month than it is like filing taxes, and so there is no way that we are going to be able to support the kinds of service delivery in a physical world as we go forward. And so I think for all those reasons, governments have recognized that this is an important time for them to step up and to help enable the kind of marketplaces that would allow a conversion from this ecommerce model that we have that has high cost of security and is really not sustainable and to help evolve to this trust architecture.
We've seen things like, in the U.S., the adoption of the trust agreement model as part of the federal enterprise architecture that will rely on commercial enterprises to issue digital credentials to their customers, knowing that that same human being that a bank considers to be a customer, the government considers to be a citizen, and it's very easy for the government to then accept that same digital credential issued by the bank to that individual, and by virtue of doing that we can move lots of services online, and we can create this trust infrastructure with the government looking like the big buyers and the commercial enterprises looking like what we would call identity providers. So in 2011 and 2012, we really do have this opportunity to reach a tipping point that allows us to make a rapid transformation from this ecommerce model which has these unsustainable costs associated with it to this trust architecture built on identity and privacy and security.