Blog posts by Joerg Resch
In looking at the current investor craze mainly around the primary use case of blockchain, the Bitcoin, it sometimes gets a bit difficult to think beyond the bubble and track those blockchain projects, which indeed are on their way to becoming useful in changing the way we do things like selling or buying stuff, digitally moving value, immutably store any kind of documents and data, consume information, create and manage digital IDs, or otherwise influence and change most aspects of our social, political and economic interactions. What we see happening in the crypto-world, is an explosion of creativity and innovation, well-funded through initial coin offerings (ICOs). Most of the blockchain projects we are observing show a high potential for disrupting whole industries.
Blockchain in Cybersecurity
Based on decades of research in cryptography and resilience, cybersecurity and blockchain technology have the same roots and look like natural allies. In offering a totally new way of securing information integrity, performing transactions and creating trust relationships between parties that don´t know each other, blockchains are secure by design and suit well for use cases with high security requirements. It is therefore easily understandable that DARPA (US Defense Advanced Research Projects Agency) has been funding a number of interesting blockchain startups experimenting with secure, private and failsafe communication infrastructures. DARPA’s program manager behind the blockchain effort, Timothy Booher, well describes the paradigm shift blockchain implies to cybersecurity in an analogy: “Instead of trying to make the walls of a castle as tall as possible to prevent an intruder from getting in, it’s more important to know if anyone has been inside the castle, and what they’re doing there.”
Blockchain Identity & Privacy: It all Depends on the Governance Model
Managing digital identities as well as linking them to real humans (identification) is becoming a primary playground for blockchain technology, as it is fundamental for any blockchain use case and as it seems to not only reduce vulnerabilities of traditional infrastructures, but finally offer a solution to give control over personal information back to the user it belongs to (“Self-Sovereign Identity – SSI”). However, the assumption that blockchain is the only way to repair the missing internet identity layer would be as wrong as the opposite assumption. There is no doubt about that blockchain will change the way we deal with identity and privacy, but there are some vital challenges to be solved before - with Blockchain Governance being the one that matters most, as all other problems that are being discussed depend on selecting the right governance model:
- How do we deal with change? We have been in the IT space long enough to know that the only constant is permanent change. Who would decide on “updating” the blockchain? How much of the pure-play blockchain do we need to give up avoiding messing with hard-forks?
- Scalability: The proof-of-work based Bitcoin blockchain has its limits. Is proof-of-stake the only viable alternative or will we soon see massive parallel blockchain infrastructures?
- Private vs. Public, "permissioned vs. unpermissioned": Are we facing a future of walled blockchain gardens?
- Off-Chain vs. On-Chain Governance: What are the risks of on-chain Governance? Will self-amending ledgers be the ones that rule the identity field?
- Future Governance Models based on prediction markets
Shaping the Future of Blockchain ID, Privacy & Security: Be part of it!
The Blockchain discussion will continue to be a core element in KuppingerCole´s Upcoming Events
For the 1st time ever, we´ll offer a “Blockchain ID Innovation Night” at #EIC18, where you will meet with developers, evangelists and experts from most or all blockchain ID projects out there.
More than 12 years ago, the first EIC attracted an already surprisingly large number of practitioners dealing with directory services, user provisioning and single sign-on, as well as vendors, domain experts, thought leaders and analysts. I remember Dick Hardt giving an incredibly visionary keynote on "User-Centrism - The Solution to the Identity Crisis?" at EIC 2007 - a topic which still is highly relevant. Or the legendary keynote panel back in 2008 on the question whether there is a difference between the European way of doing IAM and the rest of the world, moderated by KuppingerCole's Senior Analyst Dave Kearns. In the same year of 2009, Kim Cameron of Microsoft gave a keynote on his Claims Based Model, which eventually came true, even if in an unexpected way... Look at Eve Maler's Keynote on "Care and Feeding of Online Relationships", an early and mature vision on Customer Identity. She held that keynote not in 2017, it was already back in 2009! "Extending the Principles of Service-Oriented Security to Cloud Computing" - a remarkable keynote at EIC 2010 held by John Aisien, as well as André Durand's "Identity in the Cloud - Finding Calm in the Storm". Now, for the latest EIC conferences 2011 - 2017, let me give you a selection of my personal favorite keynotes, even if I would change this selection every time I watch videos from past EIC sessions: Doc Searls - Free Customers - The New Platform Doc actually gave a preview on GDPR before politicians started working on it (EIC 2012); Martin Kuppinger's Opening Keynote back in 2014 on the key trends we talk about today; Patrick Parker's (EmpowerID) famous keynote on "IAM Meat and Potatoes Best Practices", describing what can go wrong in an IAM project and feeding a great EIC tradition of keynotes with high practical relevance; Amar Singh on "Heartbleed, NSA & Trust"; Mia Harbitz on IAM, Governance and Forced Migration at EIC 2016; Dr. Emilio Mordini's great talk "In a Wilderness of Mirrors: Do we still need Trust in the Online World?" and a great Analyst/ former Analyst Keynote Panel on "Shaping the Future of Identity & Access Management" with Dan Blum, Gerry Gebel, Ian Glazer, Martin Kuppinger, Eve Maler and Prof. Dr. Sachar Paulus as the moderator. EIC 2017 just blew my mind. So many great contributions make it impossible to choose. Maybe, to give you an idea, look at these 3: William Mougayar - State of Business in Blockchains, Richard Struse - Let Them Chase Our Robots and Joni Brennan - Accelerating Canada's Digital ID Ecosystem Toward a More Trusted Global Digital Economy. Well, I can't but add another one: Balázs Némethi of Taqanu Bank on "Financial Inclusion & Disenfranchised Identification". Ok, one more: Daniel Buchner (Microsoft) on "Blockchain-Anchored Identity: A Gateway to Decentralized Apps and Services". Because it is so relevant. Come and join EIC 2018 enjoy another 120 hours of great and relevant content with speakers from all around the world. Or propose your own talk through the call-for-speakers feature on this website.
See you in Munich Joerg Resch, Head of EIC Agenda
Vault 7, Wikileaks´ recently published plethora of documents and files from internal CIA resources, has created quite some excitement and noise, and it has even been compared with Edward Snowden´s NSA revelations.
My opinion: this is complete nonsense. In looking at what Edward Snowden has done - disclosing information on methods and extent of NSA´s mass surveillance activities which nobody outside the walls of NSA would have thought it would be possible - these latest collections of CIA authored configuration files and documents describing exploits and methods on how to penetrate end user devices, are not much more than a joke. Vault 7 documents show that CIA is doing exactly what we think they are doing and what secret services are supposed to do. Yes, they may be a bit more "cyber" than we thought they would be at this time, but this is it. No zero day exploits, not a single piece of real news. And not at all a reason to rethink cybersecurity.
Looking at the Wikileaks´ press release about Vault 7, one of the headlines says: "CIA malware targets Windows, OSX, Linux, routers". Huh, this is so shocking news for all of us. We should immediately throw all our gadgets away, switch off (better: unplug) TVs and fridges and call Assange to guide us through the evil reality of cyber, and be grateful to him as a hero of the 21st century, who is so much more important than Guardian-style real journalism. My recommendation: don´t feel alienated by such kibosh. Ignore it.
Ok, maybe one thing that comes into my mind while clicking through the contents: some of the Vault 7 files show that CIA cyber activities are very well stuffed and that they collaborate with the British MI5. But our German BND isn´t mentioned anywhere. This is worrying me a little bit, as it could well be that our guys are being left behind...
The European Commission´s revision of the Payment Services Directive (PSD2) is coming along with a significant set of new requirements for financial institutions with and without a banking licence – and therefore doesn´t only have friends
It all started with the 1st release of PSD back in 2007, which aimed at simplifying payments and their processing throughout the whole EU, i.e. in providing the legal platform for the Single Euro Payments Area (SEPA). In 2013, The European Commission proposed a revised version of PSD, which is aiming at opening the financial services market for innovation and new players, making it more transparent, standards based, more efficient as well as raising the level of security for customers using these services.
These are the PSD2 requirements:
- Banks have to open their infrastructure to 3rd parties through APIs and give them access to data and payments following the XS2A rule (access to account)
- Secure Customer Authentication (SCA) through the use of Multifactor Authentication (MFA)
- Secure communication through encryption
The European Banking Association (EBA) currently is working on a set of Regulatory Technical Standards (RTS), which will be binding after the final version is published. The current RTS draft is taking a principles based approach, not a risk based one. It is requiring a minimum of 2-Factor Authentication (2FA) out of 3 possible factors (password, Card or something else you own, Biometrics) for any transaction exceeding the value of 10€. In making it very clear during a hearing last September that every single user has to be protected from fraudulent activity by all means, EBA is explicitly refusing risk based approaches, where authentication is kept as simple for the user as the value of a transaction in relation to an artificially calculated risk of fraud allows. As a consequence, this could mean the end of credit card and 1-click-payments we have been using and enjoying for years now.
An impressive number of industry interest groups are now trying to convince the European Commission, that the EBA is going beyond common sense and should be guided into a more reasonable position. Risk based approaches have been in place since years and work well. According to a recent meeting between EBA and ECB with the Commission´s Economic and Monetary Affairs Committee (ECON), a record number of 200+ comments with concerns and requests for clarification have been received, with 147 of them having been published in the meantime.
The 3 main items of cristicism expressed in these comments are:
- Giving direct access to bank accounts for 3rd parties
- The 10 € limit for transactions without Strong Customer Authentication
- Exceptions from MFA are too tight
The Commission has made clear in the meantime that the unconditioned strong authentication requirement without any loopholes is a requirement to open the payment calue chain to 3rd parties. We therefore do not expect profound changes for the final RTS compared to the current draft.
What does this mean to current practices and how do authentication methods need to change so that they at the same time comply with PSD2 and still remain as frictionless as possible for users and open for innovation? This will probably be one of the most urgent questions to be discussed (and solved) in 2017.
Join the discussion at Digital Finance World, March 1-2, 2017 in Frankfurt, Germany!
On a trip to New York last week, I had the great opportunity to visit the Henri Matisse exhibition in the Museum of Modern Art (MoMA), which shows his Cut-Outs and is the most extensive and a very impressive exhibition of this period of Matisse´s work. If you happen to be in New York before February – don´t miss it. While walking through the exhibition hall, I saw a young man wearing a Google Glass, moving relatively fast through the exhibits. It looked like he didn´t notice the people around him and seemed to follow a different, invisible path. At some time, I felt a bit sorry for him, because he left away some of those exhibits, which I found to be the most impressive ones.
Digital Business is where digital and analog worlds merge or blur, a digital layer put on top of our analog world in any facet you could think of. Billions of people, businesses and devices communicate, interact, negotiate with each other, and create a trillion moments of opportunities. Digital Business is the design of business models for those moments, and also their exploration. Maybe, the person with the Google Glass had been guided to a part of the exhibition, which was less crowded at that very moment, or he hurried up because the nearby Starbucks Café offered deal tailored to his preferences.
The problem with such digital business designs which come along with technologies like the Internet of Things (IoT), with a new generation of cognitive machines (“Siri”), with wearables (Smart Watch, Glass…), robotics and 3D printing, is that they are operational by nature. IT professionals, who nowadays are more back-office and infrastructure oriented, need to understand the impact of digital business if they want to keep pace with providing technology and risk mitigation.
In less than 5 years from now, all business and technology leaders will need digital business skills. And in the meantime, you should consider hiring a “Chief Digital Officer” or create something like a “Digital Innovation Office”, where the average age of employees might be significantly lower than in other departments. Also, CIOs and CISOs need to find out whether their current technology partners are still the right ones, or if they need get closer to the sources of Digital Business Innovation.
After all – getting back to the guy I saw in the MoMA – even in Digital Business you need to have an attractive story to tell if you want to succeed. Although I don´t think that the Google Glass could add any additional value to the experience I personally had at the Matisse exhibition - in many other situations during my stay in New York, such a personal, privacy enhanced digital assistant would have been just great.
This article has originally appeared in the KuppingerCole Analysts' View newsletter.
It was recently reported that Google has bought Nest Labs, a manufacturer of home automation sensors and devices with, currently, two products: a digital thermostat and a Smoke + CO Alarm. Why is it, then, that somebody would spend 3.2 Billion USD for a company producing home appliances that have been around for ages from many other manufacturers? And also, why Google?
First and foremost, Nest seems to know how to produce neat and innovative hardware devices that really listen to the user's needs. They are as easy to install as such a device can be, and provide probably the most innovative protection features against device failure on the market for battery powered or battery backed-up smoke alarm devices today. Plus it looks nice, not accidentally reminding me of Apple's design knack: Nest's Founder Tony Fadell was one of the iPod creators at Apple and therefore actively contributed to the appearance of a new quality in tech product design, which has been raising the bar for all market participants together. With companies like Nest Labs, established home automation vendors like Siemens, Gira, Busch Jäger and all the others will be forced to quickly move beyond their current offerings or just lose the market.
Now, buying a company which has the knowledge to produce nice home automation devices certainly has some value, but not $3.2 Billion.
What else is behind the deal? Nest Labs' devices are connected to the Internet and only work as designed with an account that users create in the “Nest Cloud”, where they store their device configuration and where their devices regularly send status information, like room temperature or luminance, and even information about whether somebody is at home or the house is empty.
It is Google's vision that we all will continue to not care about leaking personal information to whatever extent, that pushed the price. But even if we continued to see Google on the good-guy-side, what about the bad guy's hacks? Would you really entrust your jewelry at home to the “s” behind “http”? The total absence of “privacy by design” and user controlled information flow with encryption based privacy options do make Nest Labs' innovation extremely weak. The first one offering the same thing in a privacy-aware version will be the clear winner, because, don't forget, this thing goes after your “real” jewels.
There are quite a few more weak spots in this deal, too many to name them all. Here are the ones that came into my mind at first:
- The current 2 products of Nest Labs are US market only. They need significant redesign for many other markets, i.e. to comply with local regulations, or to better compete with local offerings. For example, very few people in Europe would buy a smoke alarm device, which costs 3-4 times more than one would have to pay for a more reliable (non-speaking, old-school) device with 9V lithium battery or wired power with central and/or local UPS.
- Thermostats are by themselves not innovative. The need to heat a house is a bug, not a feature. I personally do not need thermostats, because I chose a different approach and insulated my house in a way that I don't need a dedicated heating or cooling system (Passive House Standard), even though temperatures over here are comparable to the ones in Washington D.C. The “passive” in “passive house” means that I have 22-28 degrees Celsius all year without Internet connectivity and without a single line of code ;) and without spending a single $ on energy or on devices to manage the energy I don't consume. So – producing a smart thermostat is not leading edge. There are smarter ways to get your home nice and cozy.
- The Internet of Everything will bring much more useful applications than a thermostat or a smoke alarm. The real value these devices provide beyond their key feature (detecting smoke or regulating heat) is completely absorbed by Google. This is not a good deal because, after all, those devices are pretty expensive compared to “old school” devices.
In my last post I mentionned the motor driven door locks I have at my home. A frequent question I get from friends visiting me is, wether that doorlock system, which works with pincodes, RFID, remote conrols and over the Internet, is connected to the KNX/EIB bus system I also have in my house to control lights, shutters, air circulation, music and some other features. And the answer is no. Because, no joke, EICB/KNX, which seems to be the most spread "standard" for home automation, does not provide any security feature. no encryption, no authenication. If you get access to the 2 wires of a bus, then you can control anything which is connected to it.
Luckily, EIB/KNX installations are so incredibly expensive (my installation is a DIY one), that it will never spread on a large scale...
My colleague Martin Kuppinger recently (and quite a while ago) has posted some critical articles on smart infrastructures in his blog.Yes, security is a big issue there. However, it is not only about security in these more or (in most cases) less smart infrastructures. It is also about making these infrastructures work at all and, last but not least feasible for a large audience.
In my home, which is a so called passive house (well insulated, large, south bound windows for passive solar heating, saving 98.5% of heating energy compared to a standard building...) I have a smart meter. I have solar panels on my roof and the sun also is producing the warm water. Altogether, the house is producing more energy than we are consuming, so that we can sell electric energy back to the supplier during the day. The utility company, which had to install such smart meters by law, would not have done that if I had not insisted on doing that. And I know now why.
Because the utility company is not able to “meter smartly”. During the past few weeks we had repeated visits by their employees trying to collect the data the smart meter has collected. They are using the human interface between their central and my house with somebody making an appointment and then visiting me, bringing along some small device for infrared for communication between the smart meter and his own mobile device. That infrared device than should send the data via Bluetooth to an iPhone app. So the interface looks like this: phone-appointment -- car -- walk -- doorbell -- visiting the smartmeter -- attaching the infrared device to the smart meter -- waiting with the iPhone in hands until something happens -- and waiting -- and waiting -- and back to start. This obviously is a perfect mix of unsecure devices and unsecure and inefficient communication standards and processes.
However, the risk is limited given that it just does not work. The utility companies’ employees are waiting for minutes in front of the smart meter, hoping that something shows up in their app. That did not happen. On the other hand, he was not able to manually read the data from the smart meter because he just had no clue what the different values shown on the smart meter’s display are about. Eh -- I didn't mention before -- it is more than one smart meter. We have a separate one for the solar energy we sell to the utility and we have one that counts the solar energy we user ourselves. But those meters are read by a different person and not together with the reading of the meter measuring the inbound energy consumption.
Now, luckily enough, I have a door with motor lock at my home, which I can operate remotely though my windows phone, so that I don't necessarily need to be at home when somebody from the local utility company makes appointment (or just rings the doorbell). Until the day I got these smart meters in my home, I thought that they are built to be connected and read remotely. But this is not the case. The meter would be able to, but oviously the infrastructure for accessing those meters remotely does not exist. And also, having experienced the skills level of the person operating the reading device, it probably is better for me if the utility don't even try to remotely connect to my meters. Being smart is definitely being something different. And no one needs to wonder why I’m the only one in my neighborhood with a smart meter.
This story and the topic of smart metering is not only about security. It is about building an infrastructure that works smart. It is about having smart, well educated, and informed employees that can handle that new infrastructure. Both security and the lack of usability are symptoms of a horribly planned entry into smart infrastructures. This is probably one of the very big misses over here in Europe and the main reason why we are now entering a period of ultra-high hacking damages ….
Recently I came across a news alert that Google have released Android 4.0 on some new mobile phone. 4.0 already? That is extreme, Android hasn't been around that long. It is good on one side, that there seems to be a strong community of developers eliminating bugs and improving on a fast pace. On the other side - you need to be quick in carrying your new Android smartphone home if you want to install the first OS update before your hardware becomes incompatible with the latest release.
Cupcake, Donut, Eclair, Froyo, Gingerbread, Honeycomb.... now Ice Cream Sandwich and soon Jelly Bean - Android versions are named after desserts - I got lost with my Android device (a HTC Hero) somewhere between Cupcake and Donut, or between Donut and Eclair. The problem was, that I never got my phone to sync with my PC. No sync, no Android update. But I would have needed that update, because the Android release installed on my phone produced an error which would not let me use my google user account to log into the marketplace. No sync, no update, no new apps. No smartphone. According to some forum entries (I wasn't the only one with that problem), this issue was due to be solved with the next update. While waiting for that update, I made the experience that even such elementary features like receiving a phone call could let the device crash and reboot. So I changed back to my ordinary phone - and missed to install Donut or Eclair. Or was it Froyo already? Froyo 2.2? Froyo 2.2.1 or Froyo 2.2.2? The only thing that I remember is that the available Android release wasn't compatible anymore with my hardware.
As not even my 12 years old son was interested to take over a nearly unused piece of Android based Smartphone Hardware, I threw it into that carton containing empty batteries and defective hardware, and switched to Windows Phone 7, and now everything works. I installed the Sim card, switched it on and everathing worked. I added my IMAP user account information to access my mail folders and I configured LDAP to access my addressbook. Then I installed some very useful apps, like a mountainbike navigation software, and for the first time ever I now have a smartphone which really is smart. I have been using it for over a year now and never had any issue with it. It just does what it is supposed to do.
The question I have: Why is my personal experience so different from what I read and hear from others? Anyone else with similar experience?
It seems that we now have entered the “Age of Political Cretinism”, with governments reducing themselves to either waste money or produce malware. We have several recent examples for this tendency: Stuxnet, Duqu and similar, (have alook at Martin's recent blogpost on this) well elaborated and dangerous trojans aiming at large industrial facilities on the one side, and poorely timbered Trojans used to regain the option to spy anybody's communication with anyone in a time where skype and similar services have made this more difficult for governments. The German so-called “Staatstrojaner” (State Trojan) used by police and customs to look at what suspects are doing with their computers, is an example for the latter type of government malware.
Why, for heaven's sake, is a government taking the risk to attack citizens with such a stinkeroo coded Staatstrojaner? Considering that information security is as poor as that Staatstrojaner - just imagine the damage somebody can create if he/she strikes back.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Companies continue spending millions of dollars on their cybersecurity. With an increasing complexity and variety of cyber-attacks, it is important for CISOs to set correct defense priorities and be aware of state-of-the-art cybersecurity mechanisms. [...]