Secure Remote Access to Sensitive Resources
The Situation
How can remote access to sensitive Defence Networks over public network be protected against intrusion.
The Task
UK Ministry of Defence wanted to enable remote access over public data network to their existing sensitive networks.
Clearly there would be needed a high grade solution that could provably resist envisaged attacks. In particular, the problem of complicit Users denying access by alluding to possible compromise in access needed to be eliminated.
Obliterating the repudiation denial also resulted in a powerful deterrent. In order to eliminate vulnerabilities in existing authentication products, a radical approach to federated Identity Assurance was developed.
The Action / Approach
The logical start is to critique the weakness in existing products. For example, Passwords, Out of Band and One Time Generators are regarded as having weak security and have proven failures; refer to NIST Digital Identity Guidelines. Software only techniques based on machine learning and artificial intelligence has intrinsic flaws. The most permissive usage – usually required by C level executives, become the easiest targets and you have to have a very busy administrative team on call to handle legitimate exceptions. Importantly, there is no detection of compromise.
FIDO and similar variants are designed to remove passwords as they are linked to the URL to be accessed not to the User. If stolen, they continue to work- making an excellent excuse for repudiation of access. Zero Knowledge methods work as long as the algorithm and data points have not be leaked by the Service provider; if they have been, compromise is undetectable.
In both FIDO and Zero Knowledge methods, since there is no link to specific user, they cannot be immediately suspended and personal usage analytics are not possible. We designed a system that did not depend on having fixed secrets so they was nothing for a hacker to target or for a complicit Insider to disclose.
The Result
Value was delivered by:
- Reduce Risk of fines and reputational damage as no vulnerability in the access method could allow repudiation of liability
- Enable Better Business Agility remote users could access, from remote locations, legacy applications hosted in sensitive networks
- Enhanced Reputation as overall risk to the Network was greatly diminished.
- Make more informed, data driven decisions as data was timely updated
Focus In On: Responsible for Cyber Security / CISO
New Areas of Value:
Make more informed, data driven decisions
Reduce Risk of fines, theft & Reputational Damage
Enable Better Business Agility
Enhanced Reputation with Peers
Improved Confidence in Role or function