Analyst Chat

Analyst Chat #94: From Ransomware to Globally Assured Identities (EIC 2021 Special)


EIC 2021 finally took place in Munich in a hybrid format between on-site and online. Of course, Matthias took the opportunity to sit down with his analyst colleagues in person for some EIC special analyst chat episodes. In the first of three specials, Christopher Schütze talks to him about the findings from his pre-conference workshop on defending against ransomware, and they also turn their attention to a promising new approach to creating globally secured identities.

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm lead advisor and senior analyst with KuppingerCole. This is a very special edition of this KuppingerCole podcast because we are live here at the EIC conference in Munich. It's September 2021. And my guest today is Christopher Schütze. He's also a lead advisor and he's the director of the practice Cybersecurity here at KuppingerCole.
Hi, Christopher. Good to see you in person.
Good morning Matthias, nice to see you really in person. That's a very special moment these days.
Exactly. And, and our topic today is actually also reflecting the current situation. We are at the EIC. We're halfway through EIC right now, and we want to reflect on what has been going on at EIC at the European identity and cloud conference here in Munich. And one just want to tell you a bit about what happened and make you maybe also a bit interested in rewatching, the streams, the videos, the recordings, the panels that we had so that you can dive into these topics afterwards. So really a bit pointing at what's there not giving a fully comprehensive picture of what's been said, but just to make you want to look at things. So first of all, Christopher, now that we're halfway through, if we go chronologically through the, to the, to the agenda, what was the first interesting thing? I think you can share very special topic here of,
Yeah, the first really interesting thing was for sure, the, one of the opening workshops, because I met Martin Kuppinger and Annie Bailey to this, this was about ransomware resiliency. And that is really an interesting topic. And again, we are in such an hybrid format. So we had attendees from online, we had onsite attendees and this was really a special situation. We did a lot of workshops in the past, but always onsite or only remote. And it worked really, really well. And it was an interesting topic right
Now with the interaction. Was there really an evolution of the topic? Did you get to conclusions that the audience could take away that they really had something to benefit from? And that maybe when is this possible to rewatch afterwards as well?
I think there is a recording and this will be available maybe right now or in a few days. And it was really an interesting session. Again, it was about ransomware resiliency, which means we started to explain our audience, what is going on with ransomware? What is it in general? And does it make sense for you to pay the ransom? I mean, it's an important question. I don't know who of you is familiar with ransomware texts, but at the end, all of your system, your data is encrypted. You are not able to access them anymore. And some blackmailers ask you to pay a ransom about many millions or even more to get access to your data again. And then you need to decide whether you pay the ransom, get access to your database or not, or in the best case. And that was our workshop about you are prepared.
You have backups, you have strategies, you have incident response management, you have business continuity management processes for your it assets, really to improve the level of security here and be able to continue to work and not becoming the victim of friends who were techs. And we had an interesting Paul during the session where we, or interesting, frightening Paul, where we asked, do you think the amount of friends where texts will raise in 2022 and we had 100% in, yes. And that's a really a clear statement that this is also trend or tendency we see in the market. When we talk to our customers in advisory or talk to people here at the conference or the other of others of our conferences.
So it was really a, a practical workshops were really something that is focused on daily life. Also preventing these ransomware attacks and trying to identify how not to fall victim to
Exactly. So everything starts from our understanding with knowing what to protect. So at the end, this is something Martin mentioned. You need to know your it assets. You need the things you have within the organization. And also the shadow it to stuff someone in the it department or in some marketing department bought on AWS or Azure and is running. Something was customer data. This happens, we all know that, but you need to know that otherwise some attackers could gain access. And in the worst case, they steal the data publishers somewhere in the dark net, or they encrypted and force you to pay some money to get access spit back. And at the end, we had a very interesting discussion around which amount should be paid in a ransom where a tech, if you pay. And the outcome was basically, if the expenses of protecting these assets is higher than the ransom, then you can decide what to do. But the main problem here is, and cybercrime is an industry. If you are a potential good customer. So you paid once the chance that you have to pay it second and third time is really high because they like good.
Interesting. Yeah, that's, that's, that's a good point because, you know, you need to take into consideration that, that, that there might be more than one incident. So that is interesting. And to, to go more into the agenda of EIC, I found that there is a, a, an ongoing topic that really comes up in several talks already. And that is also something that I will talk about tomorrow. And this is the topic of multicloud multi-hybrid moving away from just having on premises plus cloud, but getting to a much more complex, much more, yeah. Interwoven infrastructure between on-prem VMware cloud as a service IAS, PAs as so infrastructure and platform as a service and software as a service combined with different types of ways of people working. So dev ops and traditional applications. And I think Martin did a very great keynote about that too. How to get a grip on how to deal with this. What was your, yeah. W what is your, are your thoughts about this, this topic and about Martin's keynote?
Yes, Martin's keynote was really great. He shared some new insights, some new concepts, three of them, and to the audience, I guess they are already available for you in the live stream, or Martin also announced that he will create several blog posts about the topic, but it's really an interesting one. And also in the ransomware workshop, we had some discussions about the cloud, the multicloud, the hybrid environment, because that is a good statement from his presentations, the guys who operate systems. So if you have infrastructure as code and operational guys are not people who implement code, and then there is a chance or a high chance that there is potentially an error in the source code. And then you open again and other hole on other attack surface that you wanted to fix some of these approaches. And at the end, you run an agile systems on cloud systems. You have containers, serverless APIs, and all that stuff combined in a really, really complex world combined with your on-premise stuff. And this is really a challenging thing to
Exactly. And I think what really can help in, in, in, in getting to a, a proper solution is something that Martin has been propagating for years now. And it's coming more and more to the, to the center of the stage. This is policy defining policies and enforcing policies at every aspect of, of your infrastructure from, from access to how infrastructure is created when it is code. So that it's not hand coded, but follows rules designed by and defined by policies. And that really something that is a common pattern through all of these three yeah. Paradigms that we presented in his keynote. So automation policies at the core, not having to deal with complexity by adding complexity, but by adding simplicity and the concept and the plan, and to operate on that, I think we should not go into much more detail because we have this presentation on tape.
So we really recommend rewatching that keynote rereading the blog posts that are covering these three paradigms called basis called Zelda's called dream. So these three levels, and I want just to hint you to go to the website and just download or watch this presentation online, it's really worth it. And it's, thought-provoking. I want to talk about one more topic that I really found interesting yesterday. There was a presentation which actually was giving insight into a project that just started for the first time. So we're really flattered that the team behind that did their first presentation here at EIC. It's a project that's entitled game, and I have to read it out, not to make any mistake. It's the global assured identity network. And I also can only hint at that the presentation will be online and there will be a, a panel also tomorrow, which will have a closer look at the, at this topic.
So if you are interested and when this episode is out, then the panel will be available as well. So there's more material. Of course, I will give a hint to the, to the website of them. The idea is that they want to finally make these assured identities available for everybody of us at scale. And at scale means globally. That's the recent global assured identity network. The idea is that you have trusted partners, trusted authorities that can provide assured identities because they have to do that anyway. And their idea was to start with financial services organizations with banks who have to do identity vetting, have to make sure that they do proper identification of their users before they let them authenticate. So they're doing that for themselves. And they set that as a quote, because that's where the money is. They have to do it. It's a costly process, but they have to do it anyway.
And the idea is now to share this identity information, this trust in a global network, and to distribute that for a, at a global scale to allow services that build upon that. So once you are registered with your bank, with your insurance, with your, with your state, by having an IDAs passport or with your telco, because you have an, a short telephone number and you're using that for payment, then you have a chief, a level of trust that can be shared with others. And so that makes it possible that this network of institutions of identity information provider really share this information. So once I've registered with one of these parties, and I agree to have my information shared, I can much easier access services. And on the other hand, the service providers, so provider in parties, and in talkings of IAM, they can use these assured identities on a global scale.
So it's much easier to onboard users because they are already trusted because they have been vetted. And it's much less likely that you have these drop off rates during registration on the website, because you don't have to type in username, password and authenticate and get a confirmation mail and send that back and have this, all these types of infant authentication in place, because you do have already a trusted, verified identity. And that is shared across these networks. And this is really an interesting thing. They, they cover many aspects. They cover the technology, they cover the organization, they cover the legal regulatory part and give and give very strong hints. And the really good thing is they are already implementing. So parties, banks, especially banks, insurances, but generally everybody who has a kind of assured level of authentication and identification for their identities, they are really calling for them to participate, to register, to take part in this network of identity information providers to get to a global network. And I think this is really an interesting approach. I'm really looking forward to, first of all, having seen that first here and to having to see that in the future, and actually what's your opinion on that?
It really sounds interesting. I honestly wasn't able to join the session, but I will watch the recording. And in general, the concept of having something like that, I mean, that's the solution for many problems we have. And so I like it.
Absolutely. And if you, if you look at the paper and I have to read out, I will add the, the, the URL behind that quickly. I just have to find out, but there's a paper behind that. A white paper of say 20 pages, and they have 150 authors who contributed to that document. And that reads like a who's who of these, of the, of identity, identity, people of identity leaders from open ID connect or from the open ID foundation and across many other institutions that are continuously contributing standards and interoperability frameworks. And that is really something that is not coming from somewhere. This is really the, who is who of the identity scene that have contributed for this, this, this project. And I think that is really a good starting point. So for me, it
Sounds also a little bit like
The old, or not all idea, the idea of having something like a certification authority. If we talk about traditional certificates, you have some root certification authorities, which sign certificates for separate branches or departments for devices and things like that. And then you are able to define sub certificate authorities, which are allowing others to sign them to. And that's a cool concept, I guess. Absolutely. And actually this, this game organization in the middle, like a spider in the web is connecting things, but they do not store any kind of data, not a single bit of information on the identities. They just know where to direct them and how to exchange data. But the exchange will always happen between the identity information providers and net, not through gain being the then of course the bottleneck, they are not, they are just making sure that the right connection has made.
They also share ideas of how to revoke such an verified
Entity. Absolutely. That's a complete lifecycle concept behind that. And also how to deal with more than one identity. You could be registered with your bank, your state, and your telco. Then you have three accounts how to deal with that. And that
That's okay, because when talking about certificate authorities, this is a popular topic because there are different types of certificates and some of them can be revoking, but you as the one who checks it must check the URL, whether it's still valid or not. So that's a different con or a complex concept here.
And actually they recommended at the end of their talk to read this 20 page document. And it's really readable. It's not a technical document. It has lots of suggestions how, how to build a business model on that, how to benefit from that, how to reduce fraud, how to provide secure identities for the underbanked communities around the world. So in not so developed areas of the world, this could help there as well. So they are providing very different angles to look at this topic. And that's really interesting. And I've read these 20 pages from, from yesterday to today. And this is the wisdom that I have as of now to reading this white paper. There's much more information around. And for those who are interested in contributing, I really highly recommend going there. And I found out the URL it's gained forum.org, G a I N forum.org, just one word Cain forum. And there, you can immediately find a white paper that I just read. And I highly recommend that. And I'm really looking forward to the panel happening soon with four of the key authors of these 150 offers. Final comment from, from your side regarding EIC going on. Now,
The final statement is it's a cool concept with that hybrid environment. And probably we'll listen to this recording here after the ESC, but I think it's a good idea to share our next event in November. It's the CSLs, the cybersecurity leadership summit leadership summit in Berlin, and we will do it in an similar format. So it's really cool. It's worse to be onsite, and it's also worse to be, to join online.
So if you are not able to join us onsite, please join us online. But if you can, on-site, it's fine. It's really, it's really fun. And thank you for watching this podcast episode. Thank you Christopher, for being my guest today. And I'm looking forward to talking to you soon, maybe again, via video, but nevertheless, we will continue this conversation. Thank you very much, Christopher.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #150: Clear and Present Danger - Ransomware Threats to Healthcare Providers

Only a week has passed since John Tolbert, our Cybersecurity Research Director, spoke at CSLS about ransomware and how to combat it. Today, he reports on specific threats posed by ransomware attacks to the healthcare industry, particularly in the US. But in the end, these are just examples…

Event Recording

Exploring the role of Endpoint Security in a Ransomware Resilience Plan

Ransomware attacks continue to increase in frequency and severity. Every organization needs a ransomware and malware resilience plan. Three major components of such plans should include deploying Endpoint Security solutions, keeping computing assets up to date on patches, and backing up…

Event Recording

Lessons Learned: Responding to Ransomware Attacks

The last year has seen almost two-thirds of mid-sized organizations worldwide experiencing an attack. Managing ransomware attacks requires significant patience, preparedness and foresight – Stefan shares his experience managing the ransomware attack on Marabu Inks, his key learnings…

Webinar Recording

Why Data Resilience Is Key to Digital Transformation

As companies pursue digital transformation to remain competitive, they become more dependent on IT services. This increases the potential business impact of mistakes, natural disasters, and cyber incidents. Business continuity planning, therefore, is a key element of digital transformation,…

Webinar Recording

Breaking the Ransomware Attack Chain

At some point, any business connected to the internet is likely to become a victim of a ransomware because they are relatively easy and inexpensive to carry out, but potentially yield large payouts for cybercriminals. The best way of tackling this threat is to know how to break the attack…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00