Bitcoin and the cloud

The media circus that has been Craig Wright trying to prove he’s the inventor of digi-currency bitcoin has been occupying both the main-stream media and tech-media in the past week.
Back some five years ago, the Jericho Forum was looking at the problems with Cloud and defined two problems that the industry should tackle, in the form of two questions that anyone should ask themselves when implementing cloud;
How do you manage your data in an environment you do not control.
How do you manage identities that you do not control
Bitcoin uses blockchain, distributed ledger technology, where the data is distributed across many computing platforms, none of which “you” own, and where the data is public; and highlights the same problems with identities that you have in a cloud environment.
So when you come to try and prove that you are Satoshi Nakamoto, the secretive creator of the currency, as there is no root of your identity, that proof becomes very difficult (as we have seen).
While blockchain is not cloud per-se, the challenges (and maybe even solutions) here are very similar.
The work the Jericho Forum performed on Identity, and then worked with CSA to expand for cloud in the CSA’s “Guidance” document 3.0 (Domain 12), defines the need for anonymity at the root of an entity’s identity [this is what we call “Sameness” – I am the entity that created this cryptographic root, still am today, and will be tomorrow] based on a known level if (immutability) between the entity and the cryptography. Using that root, then a series of persona can be built on top of that common root.  [If you want to understand more then there are a series on five short tutorial videos linked below].
This may seem counter-intuitive to anyone who has been doing identity in a traditional corporate environment where the corporation proofs all its own “staff”; but then rapidly breaks down with kludges when it comes to people (entities) that you do not “own” [contract staff, cleaners, temps, JV staff, auditors, visitors etc.] need access on your systems.
The work from the Jericho Forum concluded that a single anonymous cryptographic root (proof that “I am me” – or “sameness”) with cryptographically linked persona not only enables you to better protect your current corporation, but also solves the identity in the cloud space by moving to an entitlement model; here the signed assertions an entity makes can be used to define the level of access the entity is granted. This also enables BYOId (Bring Your Own Identity).
Such an solution would have simply have allowed Craig Wright to prove “I am me” and therefore I am the persona “Satoshi Nakamoto”; assuming of course that he really is.

Paul Simmonds
Paul is a member of the board for CSA UK, one of the co-editor of CSA Guidance 3.0 and CEO of the global Identity Foundation.

https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
https://www.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf
https://en.wikipedia.org/wiki/Identity_3.0
http://www.globalidentityfoundation.org/index.html
http://www.globalidentityfoundation.org/videos.html

Comments

Post a Comment

Popular posts from this blog

CSA UK Applying MITRE ATT&CK Cloud and Microsoft K8 Matrix

Image
The Cloud Security Alliance UK chapter is presenting a series of sessions to provide CISO's, Cloud Security Architects, DevSecOps and SOC teams a breadcrumb roadmap of how to apply the recently published (late 2019)  MITRE ATT&CK for the Cloud  and also take influence from Microsoft’s recent Threat matrix on Kubernetes (K8).   We are seeking feedback or additional items you would like us to cover.  The proposed series of sessions will cover:   Session 1: [ Author/Presenter: Stephen Owen] 90 mins planned online 24th June CSA session on "What is MITRE ATT&CK and Cloud" and what benefits it brings to each of the stakeholders  What is  MITRE ATT&CK Enterprise  and  Cloud Where to start How to take advantages of the current  MITRE ATT&CK Cloud  and combining with Microsoft’s K8 Matrix;  Suggested practices to follow targeted to each of the below roles: Cloud Security Architects DevSecOps SOC Team  Cloud/CISO Lea...
Read more

Understanding ISO 27001 certification

A guest blog by Steve Watkins, Director at IT Governance Ltd Even though ISO 27001 is the international standard for implementing an ISMS (information security management system) and is used by thousands of organisations around the globe, it occasionally faces criticism on a number of issues. Those with first-hand experience of ISO 27001 know that, when implemented correctly, it provides a comprehensive guide to managing the information security risks that organisations face. Further, the accredited certification scheme that enables organisations to demonstrate that they conform with the requirements in ISO 27001 offers real benefits to those who understand how to interpret claims of certification appropriately. So, what are the Standard’s critics potentially misunderstanding? This blog takes a look at some of the misconceptions, and explains why ISO 27001 is an appropriate framework for managing your information security. What are the criticisms of ISO 27001 certification? You don’t k...
Read more

What is hybrid cloud computing?

Image
    (Hybrid) cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability. National Institutes for Standards in Technology (NIST) While a Hybrid Cloud can take many forms; in essence it means managing two (or more) disparate cloud environments (say private & public) as one, or having management tools in place that let the two (or more) environments be managed and appear as one single environment. Hybrid cloud uses a mix of on-premises, private cloud together with third-party, public cloud services; with orchestration between multiple platforms thus allowing workloads to move between the various cloud environments as computing needs; thus giving businesses greater flexibility and more deployment options. A cloud is hybrid when; You extend an internal web server (that has “burst...
Read more