Cybersecurity’s Big Bang Event
Christopher Murphy
Computer Scientist, Internet Security Theorist and Practitioner, Inventor, Author, Entrepreneur - always an adherent of logic, the scientific approach to understanding, and uncompromising "integrity of action"
In 2016 Dr. Daniel R. Ford stated, “Today digital identification is based on indirect assertion of Identity. Until a direct assertion [solution] is available it [authentication] will just be an informed guess.”
A brief Internet Security History
It has been over 3 decades since the World Wide Web came into existence. In that time the Internet has gone from a playground for computer nerds to an integral part of our lives. The Internet access model evolved from a terminal model to browser-based access. At the same time, Internet interaction also evolved.
In the beginning there was no one on the Internet. People posted something hoping someone would find it. “Security was an afterthought”, Vint Cert, “Most of the early users of the network were college students, and they weren't likely to be very ‘disciplined’ when it came to remembering and maintaining their password keys, he said. Many could easily have found themselves locked out of it.”
As Internet usage grew, marketing came to the Internet and the Dotcom bubble began. Most Dotcoms had nothing beyond traffic. It popped when investors realized these sites generated traffic but didn’t generate money. In time, online sales began and data from Internet activity needed to be secured. The data falls into two independent and interdependent security classes. From a website owner’s point of view the data is secure. From an Internet security point-of-view, sales data is classified because it is generated from public action.
Figure 1
Then the Big Bang moment that created the cybersecurity crisis happened. Healthcare and banking moved to the Internet. A natural progression, however Secure level activity has different security protocols from unclassified and classified activity.
Last century hacking wasn’t a problem and security protocols, like properly provisioning authorized users, was seen as inconvenient and disruptive to Internet adoption and viewed as expensive with no visible short-term benefit, so compromised security protocols became policy. In 2005, AOL was the canary in the coal mine. It was the first major publicized breach. AOL, and every breach since, has the same two exploits at the core… Unrestricted access to secure activity and Indirect assertion; authentication based on an “informed guess”.
Secure activity is limited to authorized users. In the real-world, identification is provisioned for secure activity. From Employee and Government identification cards to Debit and Credit Cards, real world security is centered around restricting secure activity to only authorized users with proper identification.
Digital Security Protocols are the Solution
Internet Security is a process not a product. There isn’t any silver bullet product that will solve the problem. The only path to Internet Security is a protocol-based analysis.
Figure 2
All digital activity falls into three overarching categories: Unclassified, Classified and Secure. On an organizational level digital activity must be defined into these three categories. Then providing digital security is a priori process using binary logic.
Figure 2 represents the process to transition from today’s commingled environment to a Security Protocol based environment. On the left is our browser-based access model which shows that the one-size-fits-all access model removed any ability to restrict secure activity. In the center, security protocols are applied to today’s environment, isolating secure activity. The right side applies security protocols to Internet activity.
Solving Internet security is exactly the same as debugging a software application, follow the steps back until the problem is identified. Then make the other binary choice. Stopping short of the bug may mitigate the problem in the short term but it does nothing to correct the bug. The retention of the bug and application of mitigation compounds the mistake while introducing additional incorrect choices on the wrong fork. Decades of mitigation have contributed to failure.
Internet Security, the right side of figure 2, follows a priori process using binary choices to create a three-security access class Internet model. The process:
1. Connect to the Internet? Yes (necessary risk)
2. Is the activity Secure?
a. Yes, Secure class of private access based on a digital state-of-existence
b. No, introduces the next choice: Classified or Unclassified activity (unrestricted environment). Is authentication required?
i. Yes, the activity is Classified. This area is best envisioned using eCommerce: Activity is public, but the data generated is “secure”
ii. No, the activity is Unclassified
Security is a Process not a Product
Once analysis is completed and activity is sorted into security classes, the rest is configuration. All Internet activity has two independent and interdependent security classes. Where the security classes are the same, the class is obvious. However, where they differ the lowest level of security applies.
Figure 3
Then the process is to match the lowest level Security Classification to the corresponding Security Configuration.
A product facilitates the process
Existence technology is based on a physical identification that contains software to directly connect to its related secure environment. The identification creates a method to browser-lessly interact, eliminating content-mining of secure activity while blocking, among other things, browser-based access to the same secure activity.
The identification (token) seems to be where misunderstanding occurs. To date, tokens are nothing more than an additional source of data, an attribute of data used during authentication. Tokens as used today, failed to directly assert themselves on the Internet. The concept of a token was correct but like other aspects of Internet security, tokens failed to evolve as the Internet evolved.
Authorized users do not have to carry additional IDs. They already carry identification for secure environments: Student IDs, Employee IDs, Military IDs, Facilitiy access cards, Debit/Credit card, and so on. These are all able to be upgraded to directly assert identity on the Internet. The user does not need to carry additional identification, they need their identification upgraded to perform secure level digital activity.
Every organization’s security architecture and requirements are unique. Existence technology creates a virtual operating environment that renders code. Browsers render code. Both can render the same code, no major lift here. As the organization identifies activity and begins to migrate, they can keep both systems operating in parallel to facilitate the transition.
Existence technology is designed as a complementary technology. When an organization deploys Existence, nothing that is currently deployed is disrupted. Existence runs both concurrently and in parallel with existing cybersecurity architecture. Migration from one security model to the other is planned, scheduled and controlled by the organization. Once migration and training (if necessary) are completed, browser-based access is removed, and only authorized users have access to secure activity.
Existence Technologies does not come at Internet Security from a “do it this way perspective” but rather follow these security protocols perspective. How an organization performs business must be facilitated to the maximum extent without crossing the line that compromises security. This is the niche that Existence Technologies fills.