Welcome to Episode 07 of the DG Podcast! We were fortunate to have Duo Principal Security Strategist Wendy Nather take a break from the hustle and bustle of InfoSec 2017 and BSides London to join Thomas Fischer and Tim Bandos for an episode focused on the evolving disciplines of authentication and identity management. Tune in via SoundCloud below or listen and subscribe via iTunes.

Highlights from this episode include:

• 1:00 – Wendy's thoughts on how a new generation of security professionals is driving the "consumerization of security" and its impact on data protection
• 2:30 – The blurring of the lines between enterprise and personal user accounts, applications, devices, and activities and what it means for authentication and identity management
• 10:30 – A recap of the top trends observed at the InfoSec 2017 conference
• 11:30 – Two factor vs. multi factor authentication: how much is enough?
• 17:15 – How authentication is evolving to keep up with enterprise and user needs

Intro/outro music: "Groovy Baby" by Jason Shaw, licensed under CC BY 3.0 US

Transcript

[0:00:08.5] TF: Hello and welcome to episode 7 of our Digital Guardian Podcast. I’m your host and Digital Guardian Global Security Advocate Thomas Fisher. Joining me today are my cohost and DG Director of Cybersecurity, Tim Bandos, who has come from the US and is right now in London and we also have special guest Wendy Nather who also came to London and we are both, well, all three of us actually live from InfoSec Europe.

Wendy, would you like to introduce yourself?

[0:00:33.1] WN: Sure, I’m Wendy Nather. I’m the principal security strategist at Duo Security. I was previously an analyst for five years and also a CISO before that.

[0:00:42.6] TF: What’s your specialization right now, Wendy?

[0:00:44.8] WN: I give up. What is my specialization? I’m still trying to figure that out but you know, in a lot of ways, I’m focusing on the strategic direction of what Duo is but thinking about the other issues that affect more of the security community.

[0:00:59.6] TB: What are those issues you’re running into that might be similar to what we’re doing?

[0:01:03.1] WN: Well, one that I was talking about earlier today was with some other folks is really the consumerization of security that’s going to come along. Most of us know that we have users in the enterprise who are, you know, very tech savvy; they’re young, they’re aggressive, they’re impatient, they’re not going to put up with the types of security forms and user interfaces that we engineers have all been happy with all this time.

They’re going to demand better usability and more robust, more invisible sort of security. I think that’s going to be a big challenge for us.

[0:01:38.6] TB: So what do you think might be the impact on data protection in that domain? I mean, like you said, users are changing right? So they don’t have the same vision that we might have for going up in the industry and going up before we had all this internet and all these fancy websites like Facebook and stuff where everything is shared and we have globalization of information and rapid information release.

As corporate organizations, there’s still that intellectual property we’re trying to protect and there’s all that personal data work — and as well as personal data but it’s a whole bunch of data that needs protecting in the organization and we see so many threat actors today. I mean, Tim can testify that in our MSP environment, we see a crap load of threat actors, right? Both internal and external.

Do you think that’s going to be exaggerated or exacer- I can’t say-

[0:02:28.3] TB: Exasperated? You’re good man.

[0:02:31.2] TF: By this new generation?

[0:02:33.9] WN: I think so. I think the other big issue is, as you guys know, it used to be that the enterprise data that you were dealing with was, you know, in a different application that nobody — you would never use at home, you wouldn’t use an ERP system for fun at home and if you do then, you know, raise your hand because I want to stage an intervention.

The software you were using at work was very different, the data stayed there, you used a different endpoint, it was a different time of day and now, everything is interleaved. So you were using the same thing. You’re using Gmail both for personal use and for corporate use, using Box, using social media.

All of this mixes up and it’s all in the context. So if you have to identify enterprise data, you can’t do it anymore by where it was created, what was used to create it, what time it was made, where you were at the time, you have to look at the actual content of the data and make a judgment call, “I think this is business data.” So that’s confused things quite a bit.

[0:03:31.0] TF: Do you think we’re making it easier – you’re ultimately widening the attack surface essentially through these technologies that you’re kind of suggesting that might have to come along for maybe the younger generation?

[0:03:39.9] WN: Well, I think it’s that and it’s also that obviously the enterprise has its own idea of risk that it wants to manage. But if you as a person have your data interleaved with theirs on the same device, you still want to say, “Hang on, this is my personal data, I’ll be the – I’ll make the decision as to what kind of risk and what kind of controls I want to put around it. You have no say as the enterprise as to what I do with my personal data.”

Yet, you’re logging into the same things, the only difference is your log in name that you’re using maybe or where it is on your phone. You know, I think we’re going to see more arguments with enterprise users as, you know, in terms of them saying, “Well you can put policies around what I do for you but you can’t put policies around what I do for me.” And yet, it’s the same data and the same containers. How do you sort that out?

[0:04:26.1] TB: Right.

[0:04:26.7] TF: That’s true because I look up myself, right? I’ve got — I practically live online nowadays. I mean, I have everything in Google, I’ve also got personal version of Office online, I’ve also got, as a corporate environment, we’ve switched over to Office 365 and I’m really confused sometimes because even the computer gets confused.

I log into — I got Office.com and they’re like, “Which account do you want to use?” Sometimes I’ll try to put in my corporate account and then my corporate account says, the office just says, “No, you can’t use your corporate account.” I’m like, "But, I want to go to my corporate account,” and it’s only then that I realize, “Oh wait, maybe I’m on the wrong website.” Do you think there’s a solution to that? Because it is, we’re becoming, we have so many identities today. I mean, there’s no fixed identity. We’ve got so many little different identities, I know there’s been a lot of work on I’d say, you know, the, oh often, single identity via Twitter, Facebook, and all that. That’s not viable for a corporate environment.

[0:05:30.5] WN: Yeah, I think the definition of the corporate environment is changing so much too, especially if you’re a cloud first, you have nothing, you have no data center, you’re all using the same SAS providers and your users are using the same end points. So I think we need more identity level tagging around, “Okay, now I’m doing this as me and now I’m doing this as a corporate user.”

But I know that there are groups that are trying to work on this quite a bit. Like the UMA Project and you know, some of the others but I think consumers as such our learning more about how they need to protect their personal data but again, I think they’re going to run afoul of the enterprise’s view of risk as supposed to their own view of their own personal risk.

[0:06:17.6]TF: Right, How does that play in to I guess when large enterprise kind of take the concept of bring your own device, is that really what you’re saying that we now need? We can still do that but maybe we can do it effectively by identity access management via other means or…

[0:06:29.7] WN: Well that is one of the things that Google came out with when they formed their beyond court model where it should matter less first of all where the user is as long as they are using the device that they expect to see that user are using, that they’re tied to, that they have identified as managed or unmanaged.

The problem is that up until now, you have users, even if you don’t think you have a BYOD policy, we’ve had customers at Duo who have discovered that their corporate users are accessing applications with unmanaged devices.

You can’t see that unless you have the right logging and you’re capturing that during the authentication phase. Even if you don’t think you have BYOD, you can’t really be sure until you go and have a look.

[0:07:11.3] TF: Because you have zero visibility into those. BYOD devices, you’re not installing your data loss prevention technology, you’re not installing your AV on those end points.

[0:07:18.4] WN: Yeah, if you’re not installing MDM on them.

[0:07:20.0] TF: Right, MDM as well?

[0:07:21.5] WN: You know, I mean, with Duo, we have a way to look at it, we use the native API’s to inspect the devices and we can allow you to mark the ones that you expect to see as managed so you can kind of tell, “Okay, we know that they’re using this but here are this other devices.”

Usually, one and a half devices per users what we see, but with Google users, it tends to be closer to five to seven devices per user. You want to get visibility into all of those and just build this whole picture of what you expect that user to be doing.

[0:07:48.1] TB: I’m not personally running four, five, I’m probably using five devices and that’s five devices for everything that I access.

[0:07:56.2] WN: It’s both corporate and personal, all on the five devices across them.

[0:07:59.5] TB: Yeah.

[0:08:00.4] TF: Your VM’s and everything else.

[0:08:01.7] TB: Yeah.

[0:08:02.7] WN: Yeah.

[0:08:04.2] TB: I use those VM’s for other things. Let’s not get into that. I’m trying to think of whether to say this.

[0:08:12.8] WN: Yeah, where can we go from here?

[0:08:14.3] TB: Yeah, I mean, that’s the problem. Like I said, I’ve got five devices but it’s one of the reasons we’re working as like we’re trying to work like a startup mentality and things like that. We give certain freedoms to our users, especially…

And, the other aspect is we get to test all that we’re actually doing, what we claim we’re doing because we’re doing multiple devices. Part of one of the MDM strategies is to contain applications and to put applications into virtual environments.

I personally don’t think that’s viable. I mean, I don’t know about you guys, do you think it’s a viable solution to just say tell a user like, “Okay, from now on, you’re going to access anything that’s corporate data or anything that’s protected, you’re going to go through this portal, you’re going to go through this restricted portal.”

I mean, it works, it’s playing in to identity management, do you always start because you’re going to have that ability to control who accesses what, but is it a viable technology to actually work with?

[0:09:05.6] WN: I think it is if you put these, the access proxy for example in front of the applications and you’re tracking this at the application layer and say, “Well, if you’re logging in, you know as Wendy personally, we don’t care what you do with your data but if you start logging as [email protected] we are certainly going to impose additional authentication measures and additional controls and we’re going to watch carefully what you’re doing.

I think it all goes back to accessing it at the application layer, this makes the network less relevant and it’s easier for the user because the user doesn’t have to care whether it’s an internal app or an external app, you know, they get the same experience regardless.

I think that’s the only way because users don’t want things to be installed on their personal devices. They don’t want to be tracked on personal devices. The only other place you can really do it is at the application front door and say, “fine, if you’re logging in as an enterprise user, we have a say in how you do that.

[0:10:05.5] TF: Right. I think architecturally though, if it’s done right, that makes sense, I’ve just experienced extreme latency issues and you know, actually accesses it and that just causes issues then from the user’s perspective. They just don’t even want to use it anymore. They want their own device back and want to reinstall the applications and I mean, I’ve seen that trend happen well.

[0:10:21.5] WN: Yeah, I think I don’t know that containerization went in with all the extra latency that it introduced may be a problem. So you really have to lighten up the access proxy and say, “Fine, we’re just going to deal with the authentication and after that, you know, you’re on your own with the session.”

[0:10:36.1] TF: Let me ask you since we are at this conference, what have you heard from people coming up to the booth, the most common questions that they have been asking you guys?

[0:10:44.0] WN: Oh , that’s a good question, I haven’t had a chance to talk to all my colleagues yet but certainly some of the things that I’ve heard or you know, people are still concerned about third party access especially really large enterprises.

They’re worried about how to protect their own customers, their own users in a way that they’re not going to rebel at. Then there are all sorts of things like the questions around what really constitutes two factor authentication as supposed to two step authentication under PCI and you know, the problem with PCI is the more prescriptive and precise you are, the more, hairs there are to be split.

There’s all kinds of discussions about that.

[0:11:22.7] TF: I mean, you mentioned two factor authentication. If you got some of the writings and everybody’s talking about nowadays, small multi-factor authentication. Do you see a relevant difference between that 2FA, what we used to call 2FA, it’s always been really called 2FA where you plug it, you have some physical second factor to actually do versus the multi factor authentication that we see nowadays where they can be something like off the year, can be something, I mean, they also have this virtual token, you guys have a virtual token as well right or virtual ITP type solution.

[0:11:54.2] WN: Yeah.

[0:11:55.1] TF: I mean, do you think there’s a big difference or is it just another relabeling of the technology that’s existed for years that we’re starting to improve and starting to use better and understand how to better introduce the user? Because that’s one of the problems that we’ve always seen is that, those users are really hard to adopt new technologies.

[0:12:12.1] WN: It is really hard and I think where we’re going with multi factor authentication is first of all, we’re being more flexible at the time of the authentication session. Say, “Well where are you right now? Okay, if you are on a plane, you’re not going to have cellular so we’re not sending you an SMS.”

Which method of authentication we offer a lot, you know, we support U2F and hard tokens, soft tokens, our push authentication, voice line, which one is going to work for you at this point in time and we let the user choose that every time. I think that’s a flexibility, you can call it adaptive authentication, you can call it multi factor.

And then, on top of that, there are other factors that the enterprise can put in behind it that the user may or may not be aware of such as again, tying the user to the device so that becomes another factor or you know, implementing geo-fencing or looking at behavioral analysis.

Those are all additional factors that come into play in the policy that the user is not interacting with but it will certainly influence what they will be able to access at that given time. Right, you’re in the wrong location so we’re not going to let you access the most sensitive data, we’ll only let you look at the wiki, you know, or something like that.

I think those two things are changing how we deal with it so it’s not just two factor, you have one token, use it all the time under every circumstance, there’s a lot more leeway for the enterprise to play with their policies and you know, allow devices to be remembered for a longer period of time depending on different circumstances.

I think it’s the flexibility and the range that is growing.

[0:13:50.2] TF: As a trend, do you think that… actually I took two things, out of what you just said. The first one is, you know, you’re talking about device authentication. We tried this a number of years ago. Do you remember TPM’s? That was the whole idea of deploying apart from the secure computing platform. One of the primary objectives of TPM was to provide you with an identifier for your device but that never really worked out because what you started to try and deploy in large corporations it just failed completely because there was no management solution. You couldn’t manage the keys and as soon as you lost the key basically lost access to the machine.

Do you think that’s still true or do you think we’ve moved away from that notion of TPM and moved more to a motion of “we’ve got better ways nowadays to identify a device”?

[0:14:32.4] WN: Well I think the issue comes down to the chain of trust that you want to build. TPM’s are still obviously relevant if you can build a chain of custody so to speak. So for example with the U2F with the UB key nano or whatever, it’s speaking directly to the browser. So at the operating system level there is no way to do a man in the middle attack there, you can’t do that. So they’re working out different ways to build those bridges of trust and it really depends on the workflow that you expect your controls to take. If that makes sense, you’re looking at me kind of strangely.

[0:15:06.4] TF: No, it makes sense. It’s just I am trying to process too.

[0:15:12.6] WN: It’s been a long week.

[0:15:14.0] TF: It’s been a long week and there are a lot of things happening so it’s been tough and I’ve forgotten what was the other point that I wanted to ask you.

[0:15:23.9] TB: Yeah, I remember my days in the corporate world when we had those hard tokens. You would arrive to work and you didn’t have your token with you. So that’s the most frustrating thing in the world. You literary had to go back home because you couldn’t access anything, your email or anything so I knew that adding that layer of security was critical for us but something was also quite a nuisance. So I am making it easier I, think you know?

[0:15:44.8] WN: Yeah and also as you get older as I have gotten older, it’s hard to read those little numbers and my working memory is not what it used to be. So I’d have to copy one at a time while waiting for it to time out.

[0:15:54.4] TB: And then it’s too late, it’s gone.

[0:15:55.2] WN: Yes.

[0:15:56.0] TF: It’s timed out and it’s repeat.

[0:15:57.4] TB: Well even today there’s time outs that are really bad because I use multiple MFA’s or different services and I’ll log into AWS and I get it and I’m like, “Oh god I couldn’t find my MFA” I’ll find my MFA and I am looking at the number. I’m starting to type, it’s the same thing. I am starting to type the number because you’ve got your phone here and you’ve got your computer here, you’re looking for the keys and if you start too late in the sequence, I mean it’s only 30 seconds, come on?

[0:16:21.1] WN: Yeah, exactly. So I think adapting it to what works best for the user at that time is an important step.

[0:16:30.1] TF: Tim was talking about the old corporate security multifactor that we used to have. I did the same thing. I was part of when I used to work in the end user. I was actually part of the biggest smart COD PKI authentication roll outs in the world. So we were talking about 100,000 plus clients and one of the problems that we had is exactly that. You go home, you put your keys on there and you put your badge on the desk. When you leave in the morning you are in a rush because the kids are crying, and you have to get them to school and so say you forget your badge, you could probably walk into the building and that’s a different problem, but…

[0:17:04.7] TB: That’s a whole other issue itself.

[0:17:06.3] TF: But you get to go and that’s nothing so we had to set up essentially a bypass. So you would call the helpdesk and get and basically override the two-factor based authentication just for the end user. Do you think we’ve evolved from that? Do you think we could do better than that now because the technology has evolved or are we still stuck in that quagmire, if you forget something you’re going to have to have an override?

[0:17:31.6] WN: Yeah, something you forget. Well I don’t know if you’d call it an override any more so much as a better exception handling. So one of the issues that users do come to us with or the IT staff is how do we authenticate that person who’s calling in and said, “I left my phone at home, how can I get in?” or “I left my token, what do I do?” how do we authenticate that user again if they don’t have the device that we’re using to authenticate them?

And again, it really depends on how many other factors you have enrolled and what your own process is for granting those exceptions but it’s all about exception handling. I think the other point I was thinking about making was with the TPM’s and so on is that yes, you are getting a level of assurance about which device is being used but the next question is, so what does that mean? So what? We think we know what the device is.

Google in their BeyondCorp paper talked about how many components do you swap out of a device before it stops being that device? And they finally decided that, “Okay we’re going to trust this certificate that we put on.” Because you can change everything else about the device but if you have put in the right data tying that device to the user and it can’t be reused anywhere else, that’s the core that’s left for that assurance but you always have to decide, “Okay, now we know that they’re using that device, why do we care? What does it mean? What decisions are we going to make based on that?”

[0:18:57.9] TF: Yeah and what data is on that device?

[0:19:00.6] WN: What data is on that device, what’s the hygiene of the device? What other information do we have from logs about the current state of the device? What has it been used for? Where has it been?

[0:19:10.4] TB: Right like a health check, essentially.

[0:19:12.0] WN: Yeah, maybe if you’re in an enterprise and you have a lot of managed information about the device, you can say whether it’s currently healthy. You can say whether somebody has cavities or not but in other cases, you can only look and say, “Well they’re brushing their teeth really well so we’re guessing that they don’t have cavities.”

[0:19:30.7] TF: Do you think that in that perspective is like how do we control access to maybe not the online applications because I know that a lot of that Google, the principle is that they are doing everything online, right? So there is very little store on the actual device but in the reality of…

[0:19:47.5] WN: In the real world.

[0:19:48.3] TF: In the real world not in the Google-inspired world, there’s an aspect where users are using data on their machine and if we come to that where we’ve got the cavities in your own environment, we need to be able to put controls into place. That’s one of the focuses that we do with our products and when we talk to customers is sort of how are you going to control access to their device when you are not on the corporate network or when your laptop is no longer valid or whatever. I’ve lost track with where I was going with this.

[0:20:14.2] WN: Well locally based control and local multi-factor authentication I think is what you are talking about.

[0:20:19.6] TF: Yeah, we’re stuck with but we seem to be coming around right? It’s always can I actually protect my data and still enforce that 2FA when I’m offline? I mean before we started this podcast, I have to find instant – I have done a ton to my phone, I had to set up everything. So you’ve got that aspect of if you’re not online how does that multi-factor actually work? I mean I use a UB key too and the nice thing is so though it’s kind of broken.

I was actually talking to the guys this afternoon, I used to use my YubiKey to actually authenticate and look into the machine but because it uses a hash token system, you can actually do it when you’re offline because it is actually validating the hash, asking the UB key to compute if the hash is correct.

[0:20:59.6] WN: Yeah.

[0:21:00.1] TB: All the non-technical listeners are like, “What?”

[0:21:02.6] TF: Exactly.

[0:21:03.2] TB: What did you just say?

[0:21:04.2] WN: They just made a hash of the authentication.

[0:21:06.8] TF: Let’s just say but basically the UB key is acting its own kind of authenticator right? So in less technical terms. So we’ve got the aspect, one of the questions that came up to me – Actually one guy came to me during InfoSec and he’s like, “So here’s my problem. I need to be able to protect data because my data is stored say maybe in Switzerland and only Swiss bankers,” – I gave it a little bit away but I didn’t really want to do that but it doesn’t matter.

“So only Swiss bankers could access that data and they can only access the data that they’re allowed to access,” or only the Swiss users can access that data. So you are getting down to a level of, “Well how do we protect individual fields and how do we encrypt individual fields in a database on a per session basis?

[0:21:56.6] WN: Yeah, I mean that’s exactly the type of problem I was trying to solve 20 years ago when I was working here in London for a Swiss bank and we tried to use – because if you were outside of Switzerland you should not be allowed to access the private banking data. But when you went over the border, you should be able to access it and so we were trying to do this with a GPS-based access control but this was 20 years ago and it didn’t work very well.

You have, to hold the receiver out the window. So yeah, they are absolutely still these problems that people are working on.

[0:22:28.7] TB: Do you think that we have gotten better at identifying location of the device?

[0:22:33.6] WN: Oh no, you’ve read the stories too about the geo location providers who are just like, “Let’s just stick this in the middle of the US and nobody will care” you know?

[0:22:43.5] TB: Yeah, we’ve read those.

[0:22:44.9] TF: We’re getting to – out of closing this podcast I figured we’re getting to a close being it’s almost 25 minutes, almost half an hour. So if you had any final thoughts Wendy what would they be and how can we reach you?

[0:22:57.1] WN: Yeah, well you know like I said I think users are going to be pushing back on the usability of security in general and say, “Hang on a minute, I want my personal stuff not to be under the control of the enterprise. I want to determine what my privacy and security management is going to be. I want to have my own risk model for my stuff even if it’s on the same box as your stuff.”

So we have to be prepared for this and we have to look much more closely at the design when we have to do some radical changes to get us out of the corner we have painted ourselves into.

[0:23:32.8] TF: Yeah and you’re still @WendyNather on Twitter?

[0:23:35.7] WN: Yes, I’m still @WendyNather on Twitter and I’m [email protected], so yeah hit me up with your best shot.

[0:23:41.5] TB: Hit me up on the tweet feed.

[0:23:42.4] WN: Hit me up on the tweet.

[0:23:43.6] TF: Tim, your final thoughts?

[0:23:44.9] TB: No, I think that was great. That was insightful even being on the conference I think it’s great to also hear from customers and what they’re experiencing. It’s great hearing from you as well to hear on your side of the house. You know pairing that obviously with the data protection solution as well with the two factor, I think that’s a perfect marriage, right? If you can get those to come together, you have an all-encompassing strategy.

[0:24:01.2] WN: Yeah, we need to do more together.

[0:24:03.2] TB: Yeah, that’s a great idea.

[0:24:04.6] TF: That’s a great idea, yeah. Protecting the access of data with 2FA. Can you be reached on Twitter?

[0:24:08.9] TB: Yeah sure, just Google my name. It’s easier than giving you my Twitter handle.

[0:24:14.9] TF: My final thoughts, actually my final thoughts are going to be more on InfoSec Europe. The discussion was great Wendy and I fully agree with what you guys said but I had a chance to walk around the show floor and unfortunately I think I saw a lot of the same thing, a lot of the same messaging just with a different blanket and it’s a shame because there is so much more we could be doing. You both know I run BSides London.

Yesterday we had some great talks about sharing and sharing information and participating in a community rather than just building on the single problem or trying to solve a single issue. So yeah, I think that would be my final thought for this week. Beyond the scope of this podcast which was great. So keep an eye out for our next episode later this month featuring Rich Barger of Splunk and you can reach me on the blog or via @FVT on Twitter.

[0:25:05.6] WN: That was easy, FVT.

[0:25:07.8] TF: Yeah, that’s how long I’ve been on Twitter, a three letter acronym.

[0:25:11.4] TB: Really? That’s unbelievable man.

[0:25:13.9] TF: Thanks everybody for listening and have a great day.