“Current systems such as RBAC or ABAC typically end up giving internal users way more access than they require to perform their tasks. Just-In-Time Access Management can curtail privilege sprawl and ensure that users have just enough access as is required by their sanctioned activities.”
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Atul Tulshibagwale.
Atul is a federated identity pioneer and the inventor of Continuous Access Evaluation Protocol (CAEP), forming the basis of the Shared Signals and Events working group in the OpenID Foundation, which he co-chairs. Prior to joining SGNL, he was a technical leader at Google where he focused on extending access security across multi-vendor SaaS and on-premise systems. He was the CEO and Co-Founder of Trustgenix (acquired by Hewlett Packard), where he defined the federation server, an architectural concept now adopted by all major Identity Providers. He helped define open standards such as the Liberty Alliance and SAML 2.0. He continued with HP as the Director of Federation. Prior to joining Google, Atul was at MobileIron as an Identity Architect.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Pune, India, where my father was an entrepreneur. I was therefore exposed to the personal hardships of a struggling business. My mother was a teacher, and our family often survived on her salary. I worked my way through college as a control systems programmer in my father’s electronics workshop. After graduation, I joined a government lab, on the team that produced India’s first supercomputer.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
The supercomputer lab’s success brought down US export restrictions to India. As a consequence, I ended up looking for another job. Since the Internet was just starting to form at the time, I figured cryptography would be useful so that “you know who is at the other end” on the Internet. I started a job in India that required cryptography, but we found out that the required cryptography toolkit could not be exported from the US to India. So, I had to eventually move to the USA after my employer got a Department of Commerce clearance for me to work on the toolkit. While in Atlanta, I built an understanding of what kind of security would be required for the Internet, and figured that the “certificate authority” would be a key piece. I sought out and went to work for what was then a tiny Silicon Valley startup — VeriSign. VeriSign became hugely successful, and it solidified my passion in Identity.
Can you share the most interesting story that happened to you since you began this fascinating career?
When I was at VeriSign, I championed the development of federated identity standards. However, customers were reluctant to leverage a cloud-based service (which at the time used to be called just “online service”) to provide federated authentication based on these standards to their own employees. Multiple customers requested us to provide software that we could ship to customers’ premises to provide this capability. After much debate in VeriSign, the company decided not to get into the on-premise software business. Seeing this obvious demand, a colleague and I decided to start our own company to provide this software (later named the “Federation Server”). The interesting thing was that actually none of the VeriSign customers who were so passionately demanding on-premise software actually bought it from our startup!
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
The three character traits I can think of are:
- Be curious and open-minded: I tend to accept that I know little of anything, and it’s a good idea to learn about any new thing I’m embarking on. It’s often useful to keep an open mind about new ideas and products that you learn about without reacting instantly without understanding them fully.
- Always be aware of reality: I like to believe that I’m well-grounded in reality. Oftentimes, we can make plans that sound like they will produce glorious results, but we may be making assumptions along the way that are contradictory to what we know, or what we can know. It’s always good to be aware of reality — even if it’s not pleasant or even agonizing. Being open-minded and not reacting emotionally helps us be aware of reality.
- Be agile: “I bought this stock at $100, how can I sell it at $90?” is the kind of attachment to past decisions, possessions or situations that can reduce one’s agility in moving forward. In the stock example above, it shouldn’t matter what you bought the stock at, it should only matter where it will go from here. The same thing applies to many things in life. You may be heavily invested in an idea, in a position at an organization or in a path that you have chosen. It’s always good to see where it’s leading you rather than reflect on how much you have invested in it. That’s not to say that you should give up at the first hint of trouble, but you could “fail fast” and move on to the next thing.
Are you working on any exciting new projects now? How do you think that will help people?
I am a co-chair of the OpenID Foundation’s Shared Signals and Events (SSE) working group, where we are promoting important zero-trust standards such as CAEP. We are just starting to see widespread adoption of SSE beyond the initial adopters like Microsoft and Google. This will help enterprises secure access to their data in zero-trust environments.
I recently co-authored a blog post that spells out the need for a new standard to secure RPCs. This will go a long way in securing cloud infrastructure, especially in a world that depends on multi-cloud and uses third-party APIs.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
I have been working in this area for many decades now, at companies that have pushed the limits of technology and achieved tremendous success. While I’ve been a colleague to brilliant team members for most of this ride, I feel I have learned a few things along the way. I have also suffered failures in my endeavors from which I’ve learned quite a bit. To put this in concrete terms:
- At VeriSign, our team laid the foundation of Internet security by working on SSL, which later became TLS, and issuing certificates to 95+% of online businesses for a time. Our root certificates were embedded in browsers, operating systems, network routers and switches and every imaginable piece of internet infrastructure. As a result, we spent many sleepless nights when we realized one of those would expire soon! Since we were able to silently address these problems that happened more frequently than you would think, TLS is now relied on 100% by anything connected to the Internet. I have been involved in the development of federated identity standards right from the start. I was at the first meeting of the Liberty Alliance in Orlando in 2001 that kicked this off.
- I left VeriSign soon after and started my own company — Trustgenix — that was entirely focused on federated identity. While we helped define the SAML 2.0 standard on the one hand, we also defined the concept of a “Federation Server”, which is now used by all technology providers. SAML 2.0 is now the most widely used federated identity standard in enterprises.
- At Google, I invented the Continuous Access Evaluation Protocol, which was then just a proposal. It has since merged with a parallel effort in the OpenID Foundation and the result has been used by companies like Google, Microsoft, Okta and Cisco. Microsoft alone sends about 25 million CAEP events every day.
- As a chair of the OpenID Foundation’s Shared Signals and Events working group, it has been awesome to work with top researchers from leading organizations in this area.
- At SGNL, we are now redefining what authorization means in enterprises. I’m privileged to be joined by many former colleagues from Google, and other brilliant team members. The Just-In-Time Access Management solution we recently launched has been extremely well received by customers and prospects.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
There are a large number of possible ways in which an attacker can subvert an organization’s digital infrastructure and inflict damage on the organization. Before we get into the type of attacks, it’ll be good to review what the attackers’ goals can be:
- Ransom: Deny an organization and / or their external users access to their own digital infrastructure and assets and collect a ransom in order to re-establish such access
- Data exfiltration: Exfiltrate commercially valuable data from an organization’s infrastructure and profit from the sale of such data. Typical examples include credit card or identity information, but this could include insiders releasing information to unauthorized parties for personal gain (e.g. the value of a bid made by a supplier to their customer)
- Pass through compromise: Compromise one organization’s infrastructure in order to gain unauthorized access to another organization. Many organizations that are suppliers to a large number of other organizations have been compromised lately in a way that damages the organization’s customers. For example, a company named SolarWinds supplies infrastructure management software to a large number of businesses and government agencies. Its software was compromised in a way that gave attackers access to all their customers’ infrastructure
- Commercial compromise: This includes attackers tricking employees into sending payments to wrong recipients and also includes malicious insiders that offer unusually favorable terms to legitimate trading partners for personal gain.
- Denial of service: Deny external users access to an organization’s digital infrastructure in order to reduce trust in the organization or cause financial loss to the organization
The following are the common “attack vectors” (i.e. mechanisms by which a compromise can take place) of cyber attacks
- Perimeter compromise: While many organizations are moving away from a perimeter based security model (to a zero-trust security model), perimeter-based security is still used by a large number of organizations. Penetrating this perimeter by compromising a firewall or router is a common attack vector.
- Endpoint compromise: Certain high-value individuals’ personal devices are compromised to enable the attacker to masquerade as an employee (or extended workforce user). For example, an Okta contractor’s laptop was hijacked by attackers in order to gain access to hundreds of their customers.
- Vendor compromise: An organization is compromised because a supplier or managed service provider it uses is compromised. These attacks can be equally devastating as a perimeter compromise, as became obvious in the case of the SolarWinds compromise, and similar attacks. Managed security service providers like OneLogin have been compromised over a period of months, exposing their thousands of customers to unauthorized access.
- Insider driven compromise: An organization’s employees and extended workforce often have way more permissions than they need for performing their tasks require at any given point in time. This has been exploited not only by malicious insiders, but also by attackers masquerading as insiders to exfiltrate data or commercially compromise an organization. Newer approaches like Just-in-Time Access Management can effectively address this type of compromise.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
Businesses are really just individuals working on behalf of an organization. So every individual whether they’re working on behalf of an organization or acting individually should be vigilant about the potential for cyber attacks. While attackers tend to target organizations more because of the potential for higher returns, many attacks rely on compromising a user’s personal account so as to socially engineer an attack on their business.
Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?
The US Department of Homeland Security has put together this guide to help one identify where to report cyber crime incidents. It includes resources to contact the FBI or other agencies as appropriate. It’s important to note that if there is an immediate threat to public health or safety, call 911.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Not maintaining offline and updated backups is probably a critical omission that “gets” businesses in the case of a ransomware attack. Many businesses also lack a preparedness plan to respond in case such an attack happens. The CISA “Ransomware Guide” outlines three main vectors of attack: misconfigurations or vulnerabilities in Internet-facing components; phishing; and compromise through third-party and managed service providers access. Another aspect is that a ransomware attack could have been preceded by a network compromise with stealthy bots running inside a business’s network before the actual ransomware is downloaded.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
First thing to do: read the “Ransomware Prevention Best Practices” section of the CISA Ransomware guide. One immediate thing companies can do to prevent phishing-based attacks is to implement multi-factor authentication. This is really simple to do, supported by every vendor, and can help enormously.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
Business leaders should do the following:
- Define and maintain a preparedness plan: if your business was attacked tomorrow, how would you respond? How would you make sure critical systems are kept functioning, or can be re-constructed soon after an attack? A part of this is to build a good threat model for your business. The OWASP Foundation has a good resource that explains how to go about threat modeling. The MITRE ATT&CK framework provides a comprehensive knowledge base of attack vectors that you can model for. As an example, the lack of a proper preparedness plan delayed the Colonial Pipeline’s return to normal operations by several days.
- Cover the basics: there are simple things like multi-factor authentication (MFA) that can go a long way in preventing phishing-related attacks. It is equally important to ensure that all internet-facing components are updated and patched to include fixes for the latest vulnerabilities. Also ensure that MFA or federated login is required for accessing third-party services or managed service providers used by your organization.
- Transition to a zero-trust security model: Conventional security assumes that you can secure a perimeter inside of which authorized users such as employees or your extended workforce can access required resources easily. The pandemic-driven transition to remote work, the increased reliance on cloud-based services and the increasing use of mobile devices has rendered this perimeter-based security model obsolete. It is therefore inevitable that every business employs a “zero-trust” approach to security. This transition is potentially overwhelming, but necessary to secure any organization’s cyber infrastructure. The National Security Agency (NSA) has provided a comprehensive guide for how to go about embracing a zero-trust security model.
- Secure access to your infrastructure: With zero-trust, the identity of a user becomes your security perimeter. Parts of your organization will have highly privileged access to infrastructure. You need to ensure that such access is properly segmented and secured. A number of “Cloud Infrastructure Entitlement Management” (CIEM) products can help in this respect.
- Modernize enterprise authorization: All of your organization’s internal users, including employees and your extended workforce will have access to your organization’s digital assets. In a world of remote work and zero-trust access, the only thing that technically prevents internal users from taking potentially damaging actions is proper authorization controls. Current systems such as RBAC or ABAC typically end up giving internal users way more access than they require to perform their tasks. For a detailed look at how this can happen, read my blog post on the topic. Just-In-Time Access Management can curtail privilege sprawl and ensure that users have just enough access as is required by their sanctioned activities. Our company, SGNL provides such a solution. You can read more about it here.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
Most vendors in the tech industry currently follows two possible approaches to providing security:
- Vertically integrated solutions: The message to the customer is, “buy everything from us, and you will not have a security problem”
- Partnership solutions: A few select vendors come together, integrate their products with each other in proprietary ways and convey the message to customers that: “If you buy everything from any of our partner companies, you will not have a security problem”
What appears to be overlooked or ignored in the above strategy is that security is only as good as its weakest link. Customers are almost never going to be in a situation where they have products only from a select few organizations. Even if they do get there, they will go through transformations as a result of M&A or vendor changes such that they will end up with products and services from a multitude of vendors, not all of who are in the “Walled Garden” of proprietary integrations
I’ve heard key technical experts from these vendor companies say privately that the industry needs to move to a “shared outcome” model. I.e. The tech industry should provide products and services that can fit into a fabric of security regardless of who the other vendors in the customers’ environments are.
To achieve this, a simple approach is to use, or develop if necessary, open standards that can be adopted by all. This eliminates the need for proprietary integrations between vendors, and everyone, regardless of their size or affiliation can provide interoperable solutions to customers.
I have dedicated a good amount of effort over many years developing such standards for zero-trust. I invented the Continuous Access Evaluation Protocol (CAEP), and I am now co-chairing the Shared Signals and Events working group (SSE) in the OpenID Foundation that is standardizing this proposal in a broader context. Major vendors like Microsoft, Cisco and Box have already announced their support for SSE and CAEP and we’re seeing a growing momentum in the market to adopt and support such open standards.
How can our readers further follow your work online?
- I publish regularly on Twitter: https://twitter.com/zirotrust
- I am also active on LinkedIn: https://linkedin.com/in/tulshi
- I regularly post articles on the SGNL blog