CASQUE is a next-generation technology that provides Identity Assurance for both people and things, and has significant advantages over existing products with respect to security, resilience, and usability, including defense against insider attacks. Given the growing reliance on remote work and collaboration platforms due to COVID-19, I invited Casque managing director Basil Philipsz to discuss how organizations can tighten their defenses and keep their online assets secure.
Please describe the background behind CASQUE and its evolution so far.
We started as a software company doing small projects around security. The idea came to life when we got a big contract from the Port of Dover, to secure access into the port. The Port of Dover is a very busy port with about 10,000 people that work in various functions: customs, freight shipping, leasing, storage and so forth. So our project was to write a software that will ensure the physical access was protected, and we did that with physical barriers and turnstiles that required employees to use a magnetic card to get in and acted as an identifier as well.
That was the start of us thinking about the access to data resources on computers as opposed to physical access to office buildings. That got us thinking about the general problem of Authentication which led us to look at what was available. It was clear that every one of the solutions available had some weakness.
The reason that the products were fundamentally vulnerable is that when you look closely at each Authentication method, they relied on keeping a fixed secret. The obvious one is a password, but it could also be a biological template or it could be the embedded key in a SecurID token. It could be the private key in a PKI infrastructure. The problem with all of these methods is that if somebody discovers the fixed secret then the security is bust.
So we thought, how can we design a system where we could keep changing the crucial keys dynamically and instantly, in a transparent way? That was the challenge we set ourselves. It took us a very long time to solve this challenge and we found out why people only used fixed keys!.
To explain it in very simple terms, there are three reasons why dynamically changing keys is very difficult and that’s why people don’t do it.
- The first and most crucial difficulty is if you send an instruction to change a key and you don’t get a reply, you are left with an indeterminate state. You don’t know whether the keys were changed or not.
- The second problem is when you are in a dialogue to change keys and to verify that they have been done. If during that dialogue either side has a failure or timeout, how do you recover and restore? This is a classical problem of dynamic updates.
- The third category of problems concerns a threat opportunity. So let’s suppose an attacker was looking at what was happening while this dialogue was occurring, and got to copy the instructions to change the key. What happens is that, at some future date, that attacker will interpose himself between the server and the client and replay that old recorded command. The whole thing would be unsynchronized, so you’d get a denial of service.
In order to solve these problems, we needed four separate inventions. One of those inventions has granted U.S. and EU patents. So that means the core methodology is protected by patents. But the other three inventions we keep as private knowhow. Somebody just reading the patent might get an understanding of the methodology, but they will not know how to actually implement it.
Further, in order to show people that we had a credible solution, we went through a certification process with the UK GCHQ, the security experts in the UK government, to get our product, CASQUE, certified for use of Secret. As a result of this, we have implemented various bespoke projects in the UK Ministry of Defence that utilize CASQUE capabilities.
The next phase was to move away from this bespoke type work, and manufacture a commercial product that Customers could use “out of the box”. This required integrations with the main Network Gateway manufacturers. CASQUE has proven interfaces with CISCO ASA, Fortinet Fortigate, Pulse Connect.
The most recent integration we have done is to the open-source, Identity platform produced by WSO2. Just recently they have been positively lauded by KuppingerCole, who has rated the WSO2 Identity platform as one of the leaders in this market segment.
Here’s a quick preview of how Casque actually works:
How can a company or organization apply your technology to secure their assets?
The technology has software and hardware components. So in terms of software, we supply two licenses. The first software product allows the customer to initially populate our Tokens with a key set. These Tokens are the hardware element. We supply them as effectively “blank” so the Customer can set their own keys and, therefore, we as the manufacturer never have anything to do with the keys, meaning there’s no third party risk. The Token contains a secure chip and can be realized in the form of a contactless Smartcard.
The other software product we provide is the Authentication Server. This piece of software runs on a Windows or a Linux platform, and of course, it can be run on a virtual machine in a Cloud setting.
Aside from connecting with specific Gateways, CASQUE can also be plugged into an Open ID Connect framework. Open ID Connect is a way of doing Identity management on a federated basis. The nice thing about it is that Amazon Web services, Google Cloud, Microsoft Azure have adopted Open ID Connect as an interface for extending multi-factor authentication. So basically what happens is:
- You try and go to a resource that’s on Amazon Web Services.
- You mark certain credentials as needing special Identity authentication.
- Amazon Web Services then pass off the request to us.
- We take over the browser and we talk to the client.
- After the CASQUE dialogue, if it’s OK, we then tell Amazon that this User should be allowed into the requested resource.
- Additionally we can also provide further Authorisation information to allow more fine-grained access.
Such attacks continue to happen. For example, the latest statistics say that there were over 800 million data records breached worldwide in March 2020. This is a current and ongoing problem. The issue is going to be why are they having data breaches? There are some obvious answers. One of them is that these Authentication techniques that I referred to are vulnerable. As a result of the inherent vulnerability, it encourages attackers, as we recently discovered in the case of the Chinese hacking RSA soft tokens. It was a well-publicized set of breaches that a Netherlands Cyber consultancy has identified, and I’ve written about it in my LinkedIn posts.
The inherent vulnerability of these Authentication methods has another indirect risk because what happens is that Insiders feel confident in leaking information because they always can blame somebody else. Because our CASQUE product doesn’t have any fixed keys, there is nothing for a hacker to discover or for an Insider to disclose. So we have a great deterrent, we remove the excuse to deny and repudiate access.
Let’s say a brand or a company wants to plan its cybersecurity strategy. What are some things they should be considering?
We think that a good strategy is to first determine what are the crucial data assets that the company owns. It isn’t a simple question. You can’t just say, oh, well, it’s all financial or it’s all our IP because that really isn’t homing into what are the crucial assets of your company. The question is, if you didn’t have access to a particular data resource, what is the downside risk? Is there a risk to reputation? Is there a risk to operational difficulties and continuity? How quickly can it be recovered? Those are the questions to ask and to prioritize. If you ask those questions hard enough, you’ll soon discover exactly what data gives you the most pain if lost.
To give you an example of why this isn’t obvious, we talked to a C suite Executive in a big pharmaceutical company. He said to us that when he did this exercise, it turned out that there was only a small subset of data that they thought was relevant because all their drugs were either in patents and protected or out of patent and generic. The only thing they were paranoid about was the test results of their current drug trials because if those were leaked, the competitors would know and would try to outflank. So immediately they could say, these are the resources that need protection and we need to get the strongest protection on them.
You also need to determine who should access the Data Crown Jewels. It might seem an obvious question, but it really does need looking at. Because in lots of cases, it’s not the individual data that matters or who has access to that individual data, what matters is the access to the aggregate data, because that’s where the real value lies.
Once you’ve got those things established, you can start looking at appropriate solutions. So you shouldn’t just go and say, we’re going to go with a security measure throughout the organization, because as I’ve just explained, different assets and different people need different levels of protection. But what it forces you to do is to determine which security method is appropriate for which class of users. And that gets you to review your existing IT structure and operational privileges. It might well be that your existing IT architecture needs revision.
How do you think COVID-19 is going to affect your industry?
Although it is difficult to predict the future, I think the current crisis will ultimately change the way people work because it’s become clear that a large proportion of work can be done flexibly at different times and at home. Therefore the employees might feel able to go back to their employers and say, look, it worked well when we had this pandemic, why can’t we have some rules to allow us to work in a more flexible way. So I think there will be a bigger drive for flexible and remote working as a result of this crisis.
How that gets responded to by employers is a different matter. They might say we really do need to have you back, working proper hours, because otherwise, we can’t really manage things. Or they might say, okay, it has proven useful. We might construct a different structure or set of different working practices.
So I think there will be an effect, and it will require a greater review of security measures. As I mentioned, working flexibly has risks. The increased use of software, whether it’s collaboration software or remote working software, will provide greater attack areas for people wanting to get intellectual property theft.
What are some interesting trends or technologies that you expect to see more over in the coming years?
Well, I think there are the obvious factors that I mentioned, which is to do with Identity management and the problems of what’s suitable and what’s really secure. And that’s where we can offer solutions.
I think one of the big risks is that people might feel encouraged to do peer to peer working, so if you want to talk to your colleagues, you can just go in and do a session directly with them. Now, that’s a danger to the organization, because if the organization has a lot of these peer to peer exchanges, then the organization itself has lost control because it doesn’t know what’s happening. And if it doesn’t know what’s happening, it can’t control it. So there might have to be this principle that says if it’s corporate data you’re working on, you have to come through the Company’s Servers. You can’t just do peer to peer communication because we don’t know what it is that you’re doing. We haven’t got a record. If there’s any litigation we won’t be able to easily respond.
So once you’ve determined what that crucial data subset is, they’ll have to think about managing it through the Corporate data center. So then the next set of questions will be, what platform do we use? There are a lot of collaboration platforms and project management type platforms out there, and they’ve been growing recently. The problem with these platforms is that they have a tendency to trap you within their proprietary space because once you’ve signed up, everybody has to sign up for that particular chosen software platform. So the ability to introduce the supply chain might prove difficult.
So there might need to be some more generic shared way of working with compatible data formats and APIs to enable you to extend those platforms outside the company, for example, through primary supply chain channels. Importantly, you need to control how you authorize and identify participants; we think our independent, federated Identity capability should help in this area.