Security was an afterthought. Sadly, it still is.
Vint Cerf, by many considered one of the “fathers” of the Internet, has recently stated that — in summary — when the Internet was designed, security was an afterthought.
He also went on to say that security “is retrofittable into the internet”. Good. Then, why isn’t it? Why is security still such an afterthought?
I know, I know, many will be crying blasphemy now. How can I say that security is still neglected, when a simple Google search for the term “IT security” produces, at the time this article is being written, about 8.7 Billion results?
Ok, let me explain…
Security will stop being an afterthought, or — even worse — a “given” when every single designer and developer will bear it in mind at all times, and will realize that security is a side-expertise that every creator of every piece of the Internet must have.
This is something that the car industry has understood, maybe not from the start, but in recent times for sure. The windshield designer knows that the glass has to be shatter-resistant to avoid throwing glass shards into the driver’s and passengers’ eyes in case of accident.Tire designers have invented “run-flat” tires and heat-resistant compounds to improve safety. And then we have steering wheels that move away from the driver in case of frontal impact, distraction-free dashboards to help keep the driver’s eyes focused on the street (thus reducing distraction-related accidents), variable tension seat belts to avoid breaking your rib cage, even an emergency handle inside the trunk to pop it open in case you’ve been kidnapped and put in the trunk of your own car. Not to mention the obvious airbags, ABS, ASR, ESP, and the like…
See the pattern? A windshield design team is composed of experts in windshield design, aerodynamics, and security. A tire design team is composed of experts in rubber compounds, hydrodynamics, static/sliding/rolling friction physics, and security. And so on. Every statement here ends in “and security”.
Similarly, the Internet will be a truly safer place only when every designer of every piece of it will be also an expert in its security. From the team that designs actual copper cables and fiber optics, all the way up to the web and mobile app developer who’s designing the next regional cooking recipe sharing app.
And — unfortunately — the higher you go in the stack, the less security expertise you find, and the more you realize that, for too many, security is a “given”. Ask the typical app developer “how do you keep communications safe?” and their answer will probably be “oh, my app communicates with the server via HTTPS” or “I use a VPN”. That’s it. That is enough to ease their security concerns. After all, they should be focused on developing their app, right? Security should be a given, should be part of the infrastructure, should come built-in just because you use a TLS-enabled protocol or a VPN, right?
Even when focusing our observations only on a single market, let’s say the IAM market (because that’s where Xiid plays, so we know it well) we see the exact same pattern.
IAM stands for Identity and Access Management. And that’s what most of our competitors do: they focus on managing identities and access. Maybe the market segment should have been called IAMS (Identity and Access Management and Security) to make players more aware that security must be woven into the very fabric of their Identity and Access Management solutions. Instead, the “it is what it is” mentality still pervades almost every IAM solution on the market, and what’s even worse the market accepts their security trade-offs.
Want an example? Here’s a screenshot from the knowledge base of one of Xiid’s primary competitors:
See what I mean? If you need to reach a server/service inside your DMZ, you create inbound NAT or port-forwarding rules on your firewall. That’s how it’s been done all along, that’s considered “the way it is”. Secure enough. No one is really acknowledging that each one of those open inbound ports is a potential pathway to reach and attack the server/service to which they lead.
But it’s always been done that way. Some of the services bound to those ports have already been exploited multiple times (RPC, NetBIOS, DNS, SMB, …) yet… it is what it is… it’s always been done that way, so why change now?
Because that’s not secure! That’s why.
And that’s why we, at Xiid, have done something about it. We have created the first IAM solution that features Active Directory integration without the need for any inbound open port on the customer’s firewall. None. Zero.
In our design we always put security first. And we designed our Active Directory integration agent to work without the need for any inbound NAT nor port-forwarding rule on your firewall. There simply is no route to reach Xiid’s agent from outside the subnet it’s installed in. And you can’t attack what you can’t reach. Yet, it works, and it provides comprehensive as well as secure Active Directory integration. It’s security innovation by design applied to the world of Identity and Access Management. It’s IAM to IAMS.
And this is just one of the many patent-pending security solutions that we have designed here at Xiid, to weave security into the very fabric of each service that so direly needs it. Feel free to contact us privately should you wish to know more about it.