Distributed Management Systems Ltd on Inogesis' Innovator Showcase
Data breaches continue to to threaten the security of customers. 148 million data records were breached as of December 2020. Of these, 34% involved internal actors. Distributed Management Systems Ltd is a UK-based organisation that offers a unique product to fight against data breaches. Casque is the name for their proprietary, multi-factor authentication methodology. This method fulfils the highest NIST Identity Assurance Level and needs no supporting methods. It allows the customer to own and manage access without identity threats.
Today, we interview Dr Basil Philipsz, CEO at Distributed Management Systems Ltd to find out their perspective on innovation and security-focused technology in today’s constantly changing environment.
1. When did you initially have the idea to set up your own company?
I took over the running of an existing small electronics company my brother had founded after his health started failing.; I reorganised it into a software house doing bespoke contracts, one of the early successes was to install the software for the entire physical access system which controlled vehicle barriers and turnstiles for 10,000 people working at the Port of Dover. The software ran faultlessly for over 10 years.
2. What were the driving factors/reasons behind your decision?
Although the task was control of access to physical resources, the problem of access control to data resources intrigued me and caused me to question why existing solutions were vulnerable. The evidence can be seen with data breaches continue to damage - 48 million data records breached in December 2020. Corrupt Insiders can use weaknesses in Authentication techniques to deny their complicit access - 34% data breaches in 2019 involved Internal Actors.
3. What has been your most difficult problem to overcome?
Existing Authentication methods have inherent vulnerability; they rely on keeping fixed secrets which can be exposed by discovery, or from Insider disclosure.
Our solution, CASQUE, is a new approach to Identity determination that does not rely on keeping fixed secrets. It fulfils the highest US National Institute of Standards and Technology Identity Assurance Level without the need for supporting methods and allows the Customer to own and manage access without "Identity Surrender".
4. What do you feel are the emerging trends in the current market?
The fashionable concept of Zero Trust Access (ZTA) is a much simpler to expound than to actually implement. Consider the following tenets from Draft (2nd) NIST Special Publication 800-207):
“Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioural attributes!
“All resource authentication and authorisation are dynamic and strictly enforced before access is allowed”.
These seem eminently sensible but hide awkward conundrums. There is an increase in flexible and remote working with the times, locations and types of client platforms of a worker changing from day to day. Behavioural patterns need to have a wider tolerance.
More importantly, it does not suit the “agile” Organisation to have the Executive Sales Manager needing to phone the 24/7 Administration Support team to visit a new location tomorrow and convince them he should be so allowed. So one result is increased administration overhead and the inevitable easing of profiles for the most privileged Users who then become the obvious target for hackers. The ultimate dichotomy in Zero Trust Architectures is that you have to trust that the access to the Policy Enforcer Administration is legitimate.