Q&A: John Stewart, Cisco's chief security officer

The head of security for Cisco speaks to IT PRO about application security and solving the identity problem.

By Mary Branscombe, 14 Jul 2008 at 12:20

The second way – and this is going to be fun to watch, frankly – I think the whole idea that you carry the context of yourself and the transaction of what you’re doing mobile-ly, irrespective of the delivery vehicle, gets to identity-based system-ing. Identity, plus what is going on with your identity at the time you move.

I have a feeling that, as a result of this, what you're going to end up seeing is very thin, light application suites that are endpoint based and a very rich experience using massive network build out. It’s already started to happen; definitely BT has gone down this route. You're basically saying the end point is going to matter less at a computational level.

The display and the keyboard and the system that you interact with, is the most valuable. Think about Lufthansa going to wireless on their planes, they’re trying to solve the inability to do work when you're mobile. Everything about handset mobility, you’re trying to solve work when you're mobile. But each time it happens, less and less computational necessity exists on the device - you're just getting the service on the device.

That’s pretty important to my mind because then your security context can go with the service. So if the application itself is the same on that device and on your phone the security context can be exchanged. If I move from one to the other, it’s just the same context; if I move back, it's just the same context. By the way, this is not remotely a trivial set of issues. I won't try to say it's easy but I will say it’s absolutely the next generation.

Is NAC a part of this? Is it really useful when you have so many online services coming into the business?

You have to tool infrastructure so that you decide who shall pass. Version one of NAC is done, not because it’s all solved but ‘wave one’ of solving NAC has carried its way through. I think you’re seeing ‘wave two’, which is the maturation.

Wave one was ‘I think this is what we need’. Wave two is OK, we tried it to use it; now this is what we need as a result of trying. You're seeing improvements from all sorts of vendors including ourselves. We didn't have everything right in round one - big surprise! - so round two is coming.

What other big developments still need to happen to improve security?

We still haven't really solved identity. I think part of it is we're trying to sledgehammer it in a one-answer way. That which is identifying you, is the authorisation token as well - and that’s actually the inverse of what we need.

If you came to me and said ‘here is a token that looks like this, and that I uniquely know is you’. I don't know who you are. I just know uniquely, that is you. From that moment on, I never need to know who you are. I just can know you presented something only you could have.

This isn’t an argument for biometrics, I’m not trying to go down that road. I’m just suggesting if the ‘uniquiqity’ you can display about yourself can allow me to grant you that which you are authorised to get, I don't need to know who you are.

Part of the privacy versus identity issue is if I actually present who I am, to the very people I’m worried might watch me all the time, I'm uncomfortable. Maybe you've got a three-way conversation; I’ve just asserted to you I am who I said I was. You’ve asserted to her that which I told you, but you didn't tell her who I was. Since we both have a unique domain of trust relationship to you, she can grant me access to what I needed access to and never know who I am. This is what Kerberos did back in the day and it is still the model that separates identifying you and granting access to I need.

In the US, the issue we have is social security numbers are frequently both identity and authorisation. That is creating worlds of problems for us, because it's overloaded.

Especially when you really want to assert a minimal claim?

Especially then. In order to do something as simple as present how old you are, you have to give away so much more.

The minimalisation model we would ideally want, which would only gave you what you needed to give me the authorisation rights, is violated every time I get carded with my driver’s license or my passport because I'm giving up too much.

Because my driver’s licence tells you my age but also tells you my address and it also tells you my driver licence number which has no bearing on the conversation whatever. We're overly creating and engendering a tie between that which is authenticating me and that which is authorising me. That’s the change that really needs to happen.

Do you see any companies making progress on dealing with this identity issue?

I think we're going to see fairly significant success over the next number of years, because it’s becoming high time that identity of a device and the identity of an individual are separated from the authorisation for each. NAC started off by identifying the device and identifying its condition and granting authorisation – those are two independent steps.

People are identifying themselves to same stuff that is authorising them to do something. That's beginning to change too. Some of the leaders in this space are the traditional ones. I think IBM is going to be a leader, I think Microsoft is going to be a leader, I think RSA is going to be a leader.