Data breaches continue to to threaten the security of customers. 148 million data records were breached as of December 2020. Of these, 34% involved internal actors. Distributed Management Systems Ltd is a UK-based organisation that offers a unique product to fight against data breaches. Casque is the name for their proprietary, multi-factor authentication methodology. This method fulfils the highest NIST Identity Assurance Level and needs no supporting methods. It allows the customer to own and manage access without identity threats.
Today, we interview Dr Basil Philipsz, CEO at Distributed Management Systems Ltd to find out their perspective on innovation and security-focused technology in today’s constantly changing environment.
1. When did you initially have the idea to set up your own company?
I took over the running of an existing small electronics company my brother had founded after his health started failing.; I reorganised it into a software house doing bespoke contracts, one of the early successes was to install the software for the entire physical access system which controlled vehicle barriers and turnstiles for 10,000 people working at the Port of Dover. The software ran faultlessly for over 10 years.
2. What were the driving factors/reasons behind your decision?
Although the task was control of access to physical resources, the problem of access control to data resources intrigued me and caused me to question why existing solutions were vulnerable. The evidence can be seen with data breaches continue to damage - 48 million data records breached in December 2020. Corrupt Insiders can use weaknesses in Authentication techniques to deny their complicit access - 34% data breaches in 2019 involved Internal Actors.
3. What has been your most difficult problem to overcome?
Existing Authentication methods have inherent vulnerability; they rely on keeping fixed secrets which can be exposed by discovery, or from Insider disclosure.
Delegating the problem also has consequences. For example, using third party Identity providers such as like DUO, Ping, Okta usually involves registration with the User's personal identifiable attributes like name, age, email, mobile number, address, passwords, credit card. Further, looking at the privacy policy of these providers shows the extent of the additional behavioural information that they want to collected. If these sites are breached then these same providers deny responsibility for data loss in their terms and conditions.
Our solution, CASQUE, is a new approach to Identity determination that does not rely on keeping fixed secrets. It fulfils the highest US National Institute of Standards and Technology Identity Assurance Level without the need for supporting methods and allows the Customer to own and manage access without "Identity Surrender".
4. What do you feel are the emerging trends in the current market?
The fashionable concept of Zero Trust Access (ZTA) is a much simpler to expound than to actually implement. Consider the following tenets from Draft (2nd) NIST Special Publication 800-207):
“Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioural attributes!
“All resource authentication and authorisation are dynamic and strictly enforced before access is allowed”.
These seem eminently sensible but hide awkward conundrums. There is an increase in flexible and remote working with the times, locations and types of client platforms of a worker changing from day to day. Behavioural patterns need to have a wider tolerance.
More importantly, it does not suit the “agile” Organisation to have the Executive Sales Manager needing to phone the 24/7 Administration Support team to visit a new location tomorrow and convince them he should be so allowed. So one result is increased administration overhead and the inevitable easing of profiles for the most privileged Users who then become the obvious target for hackers. The ultimate dichotomy in Zero Trust Architectures is that you have to trust that the access to the Policy Enforcer Administration is legitimate.
CASQUE implements ZTA with minimum Support Costs.
5. Do you have many competitors? What are your USP’s?
We do have many competitors and can compare our benefits against specific types of alternative products. For example, our CASQUE contactless Smartcard cannot be successfully cloned unlike Biometric based methods; we do rely of keeping fixed secrets so nothing for a complicit Insider to disclose to their collaborator; we know which user attempted access so can provide forensic trail unlike FIDO2 devices that just relate to specific URLs with no User association.
Most importantly we enable the Customer to own and manage access to their data crown jewels without Identity Surrender to third parties who ultimately deny responsibility.
6. How do you/your organisation define innovation?
Simply put "new way of addressing a need that's better than existing solutions"
7. Have you had to alter your strategy or leadership style due to elements that have stifled innovation recently?
No major changes.
8. What mindsets, qualities or talents do you feel characterises the Innovators whom you most admire?
Persistence and Persuasiveness.