Note: This is Part 2 of a two-part article. The first part can be found here: https://codemag.com/article/2009091
In this “Talk to an RD” column, Markus Egger and Dr. Neil Roodyn continue their virtual conversation about the impacts of the COVID-19 crisis. Both are involved with managing teams that are now working remotely more than before. Both are involved with customers facing the same issues. This discussion focuses on security issues.
Markus: Do you use Surface Hubs in your organization?
Dr. Neil: I've been using Surface Hubs, but I suspect they're all switched off right now since nobody is in the office. But I'm very, very fortunate. I have a Surface Studio on my desk, which is a beautiful device. A lot of the teams that I work with have Surface tablets, Surface Pro, or Surface Books. Or a Lenovo tablet that has a pen or an iPad with a pen. Microsoft Whiteboard runs on any Windows device and on iPad. If you have a pen, you get the extra bit of nice functionality where you can engage. I think the other nice thing about Whiteboard is that, as different people are scribbling on the same whiteboard at the same time, you see their little icons popping up all over the screen so you can track who's doing what.
You can see a bigger picture emerge as multiple people are scribbling down. You can divide the page into columns and people can enter stuff in their own columns, or however you want to do it. You can create notes and move them around on the page. I found that to be a very useful free-form tool in the same way I've always liked having a whiteboard in a working space when I'm in the same room as someone. It encourages that wider conversation. I think sharing screens fluidly and being able to share screens among different people in the conversation is also very powerful. People want to share, whether it's a new UI they're designing or they want to have a conversation around some plan they've put together. Just being able to do that in Teams has been powerful.
Bringing in guests is also very powerful. Knowing that you can lock MS Teams down to people within your organization, but you can have teams where you can bring in guests in a controlled fashion is another aspect of it. There are lots of pieces of the puzzle that connect together to make a very useful toolkit that MS Teams has presented.
Markus: I believe you can use the Whiteboard product whether you use Teams or not, is that correct?
Dr. Neil: Yes. The Whiteboard product isn't attached to Teams. It's a separate product. It's attached to Active Directory. Most of the organizations I work with are enterprise-scale organizations. They have their own Office365, so we're working with those on the inside of their firewall, logged in as an AD under their domain.
Markus: Overall security is pretty good with all that stuff, right? I mean, looking at Teams and the security that it has compared to some competitor products that have made big headlines lately with various security problems. It's always nice to know that in Teams, security works well. Also, most people already have a license for it because it's part of Office.
Dr. Neil: Right. Microsoft made a big move to make it free for everyone during this period. So that's made it useful too, in that if I have a team that's not necessarily hooked into the Microsoft ecosystem, I can add them as guests into my domain and bring them into conversations.
The security aspect, certainly within a domain within an organization, is incredibly important. Because there's a lot of these conversations you don't want getting outside of the firewall, right? In the situation we're in due to COVID-19, we need to be able to have senior leadership conversations that you normally would have behind closed doors in a boardroom. You need to do them virtually. You need to be sure that they're secure. You want to have an environment that you're 100% comfortable in.
And there are other aspects too, like knowing that something is recorded. You can see a little dot on your screen right now because I'm recording this call. It's also important knowing that something has been captured or isn't being captured. It's just extra transparency and extra information.
Markus: I know you're also very interested in approaching software development with security in mind and as a driving factor.
It always surprised me how many developers don't think about security up front. We battle that with what I call “Security-Driven Development.”
Dr. Neil: It's what I've started calling “Security Driven Development,” copycatting the Test-Driven Development that I started pushing 20 years ago when I was doing all the XP [eXtreme Programming] drive, trying to get people into XP and Agile, and thinking about how to put quality first. One of the things that surprises me a little bit in the last year or so was how many developers don't really think about security stuff. They're very feature-focused and want to deal with security later.
The problem with dealing with security later is the same problem you have with dealing with quality later. You can build something that's very hard to secure. If you build something test-driven, it's very hard to build something that's not high quality because you're building it so it's testable. If you build something security-driven, it's very hard to build something that's not secure because you're building it with security in the forefront of your mind.
There's a lot of this kind of change of attitude that needs to happen. Especially as more developers are building greater scaled applications that offer services. You think of the architectures we're being encouraged to move our world into, of microservices, or treating the cloud as just a place to host functions that you can call. These are all great ideas, but you have to make sure that you're not breaking security. “Oh yeah. We've got this new service that, you know, exposes all this customer information that you can call.” That's is great internally. And then you wonder who else can call it. “Oh, anybody.” And that's not good. [laughs]
Well, let's lock that down. You have to think about that from the beginning. You want to make sure that there's good authentication and validation. I've been doing a bunch of work helping people understand. None of it's really that complicated. But you must understand how to make sure that they're using best practices from the start and not going “oh, well, we'll use HTTPS to start with, and then we'll retrofit some other security stuff on top of that.” It's not breaking news, but HTTPS isn't super secure. And if you're passing information that's critical to your business, maybe you want to think about not just encrypting it yourself, but also validating the source and the destination and other places you're expecting them to be. You can do that with certificates, with signing, and a whole bunch of tech that's already out there. It's not very hard to get your head around, but you have to plan to do that from the beginning.
Markus: Do you have any pointers? Are there any books or articles people should read or anything like that?
The great thing about this time we live in is that security is front and center for all the big platforms.
Dr. Neil: I think there are a few things and it really depends on what your platform is and where you're going. The great thing about this time that we live in is that security is front and center for all the big platforms. So whether you're on Amazon and AWS, or you're on Microsoft and Azure, or you're on Google, they all have great documentation on the security aspects of their platform and how to make sure the products that you're building on their platforms are secure. You really don't have to dig very hard to find that documentation. Whatever platform you're on, go and find out what the security best practices are and read them, and make sure you understand what they're trying to tell you, because none of them want to be the platform that exposes, you know, seven million customer records because you did something silly. [laughs] These platforms have a vested interest in supporting your efforts to be secure.
The second thing is that, again, in this day and age, there are a huge number of online courses that are free or very cheap. You can go to LinkedIn Learning, or Pluralsight, and you can find a ton of really good security courses for your language and for your platform. If you're programming in Java, C#, or C++. It really doesn't matter. You'll find security training in that language. If you're building stuff for IoT on little microchips and shipping 10 million of them around the world, you'll find a course that teaches you how to secure those devices. There's no shortage of information.
To some degree, that's why I was a little bit shocked to start discovering that a large number of developers weren't really thinking about security first. They were stuck on this cycle of features. I understand why; it's because the business is driving them to build features. The reality is that they have to think about security first and that was crossing all kinds of industries that I've stuck my finger into in the last decade - from the finance markets through to logistics and shipping through to property management. It's everywhere. I think if your goal is to build a product that is a global-scale success, if you're trying to build a product that's gonna make you the next Apple, Microsoft, Google, Facebook, whatever, you have to think about these things. And it's true even if you're building an internal product.
I guess the other thing that's really brought a lot of this to the fore, is horrific legislative activities, like GDPR. Suddenly everyone's going “The what? What do we have to do? What do you mean we can't sell our product in Europe anymore?!?” In many ways, for as much as I hate all the bureaucracy, I think it's done everyone a big favor in making them think about what personal information is. What is this data that I'm transferring among 50 different servers? What does it mean? How am I transferring it? Is it accessible to other people? I think there are a number of factors that have come into play. The whole GDPR conversation is what's also driven a lot of these security courses online.
Markus: How much does moving onto one of those clouds help you with that? Some of the cloud stuff forces you into that, doesn't it? You put up a SQL Azure database and you don't have quite the freedom to mess up security as you did before. But it's not automatic by any stretch of imagination.
There are some defaults that all the clouds give you that are more secure by default than a local server in your server room.
Dr. Neil: No. And you can break it. [laughs] There are some defaults that all the clouds, whether it's Amazon or Microsoft or whoever, give you that are definitely more secure than you would be than if you had just gone and installed SQL Server on a box and connected it to an Internet connection and started serving up data to your website. There are some defaults that they'll set up and there are also some flags that they all give you. They give you a little flag saying “Warning. We don't believe this is secure. You should not use this technique. Using this other technique is our recommendation.” Not that they actually prevent you from doing it wrong. You can go and configure it how you want and it could be insecure. But the flag is there. And every time you log into their portal, you'll get this alert: “Your SQL server is not considered to be secure the way we would like it, or the way we would recommend it here.”
Markus: Or they might even send you an email.
Dr. Neil: Yeah. “Click this link to see our recommendations.” There is definitely a base level of value you get from that. But then you get to code you've written and you've pulled that data out of the database, and now you're going to manipulate it somehow, and you're going to send it somewhere else, you're kind of out of the realm of them worrying about it. If you're using their messages, the cloud messaging protocol that they've provided, maybe you're secured again by what they're providing. But I think the other thing is to make sure you understand what they're providing. If you're using some messaging system hosted on a server somewhere hosted by Amazon or Microsoft, understand what they're providing as part of that. Even just the fact that you've gone and read and understood, means you're now getting a bit more of your head around the concept of what security means.
When they say something that you don't understand, go and look it up! Hopefully you then understand a bit more about that aspect of the security. I always recommend to everyone that they investigate what's currently provided, even if they're using a standard cloud platform provider. But the other thing I often say is “don't trust it.” You want to make sure that it's secure as far as you're concerned or not only secure as far as they're concerned. And if you want to be the one who's comfortable with security, maybe you need to add something to that. Maybe you need to add a level of encryption or a level of validation. If the only server that's allowed to send you this kind of information is this or that server, sign it or have a certificate that's on that server. Then you know it came from the right server and it can't come from somewhere else.
Markus: I'd imagine you're still an advocate of not home growing your added solution. You go with certain standards and encryption mechanisms and standard signing and so on.
Dr. Neil: Absolutely! I don't want to invent a new security protocol. Absolutely not. At the same time, I don't think a lot of what comes out of the box is necessarily the best thing. Like, I think a lot of the certificate signing is still 2048 [bit encryption], and really, we probably need to go up to 4096 now. You may just want to flip that switch so that you're using a slightly harder-to-crack set of tokens. But yeah, I do think that you should first understand it and then use the tools to make sure you're making the security harder to crack and harder for someone to access the data.
Markus: How do you deal with sign-on and IDs and accounts and all that?
Dr. Neil: [laughs] That's a super interesting conversation because identity is core to everything we're doing. One of the things I spent a bunch of time on last year is looking at different identity solutions. Also digging into this concept of Decentralized Identity. Right now, you think about identity for everything we do. Let's say you log onto Teams; you log on with your username password, and maybe you use multifactor authentication or two factor authentication and get a thing that comes up on your phone and you say, “yes,” and you're in and that's great. But who owns that identity? Well, now it's a Microsoft identity, or it's an Active Directory identity, or you log into Gmail and it's now a Google-owned identity, or you log into your Amazon admin portal and you're now on an Amazon identity, or you log into your Adobe tools and you're now on an Adobe identity.
It's like, “wait a minute!” How many identities did I just roll off? Like five, six? And you have all of those, right? I'm sure you do. I'm sure most people have this huge number of identities. Oh, and you also have a government identity. When you log onto your driving license or to pay your taxes, that's a different identity. So you just start thinking “wait a minute, there's something really wrong with this picture!” Well, there are multiple things wrong with this picture [laughs], but the first one is that most of them are still relying on a username and password. And 20 years of doing this makes me feel like this really isn't right anymore. The other thing is that you're now giving ownership of the identity of who you are, in different aspects of it, to different people, not yourself. You no longer own your own identity in the Adobe cloud. You no longer own your own identity in the Amazon cloud.
Could we change it? Can we turn the whole thing on its head and create a world where you own your identity and you decide which parts of it you want to give to different people? You then say, “oh, well, for my health records, obviously, I want this part of my identity, like my date of birth, my address, my next of kin.” Whatever. Those kinds of things. That's part of what you share with your health identity, but you still log on as the same person when you go to Adobe. They don't need to know anything about any of that stuff, right? Maybe they need to know your billing address, but they don't need to know your next of kin or your date of birth.
The compliant way of thinking about it is blockchain or ledger-based identities.
You might share a different set of components, but it's the same identity. That's this concept of trying to create a decentralized identity solution. The buzzword-compliant way of talking about it is blockchain or ledger-based identities. That's a technique that you could use to create this decentralized identity, but it definitely seems like an interesting way forward and a way out of this multi-identity problem and this lack of consolidation to who you really are. The great thing is that if you were to do this, you could start getting crossover. Say, for example, I want to buy a domain and get a certificate on Azure. Well, how do they know that it's really me? At that point, I could share my government identity with them with the same identity that I'm already logged in with and say, “here's my driving license and here's my passport number and you're allowed to use it for the next two days in order to issue me with my own domain and my own certificate for that domain.” And then it disappears from their data. I'm giving permission to use this for a period of time and then it gets revoked.
These kinds of concepts are technically very feasible now. I'm keen to try to work out how I can start helping organizations think about using a more decentralized identity within their environment. Because I think that this would enable a much richer digital conversation to start happening between systems.
Markus: So how do we all imagine this? We were talking about things like blockchain, but I'm assuming we're not just talking about blockchain-style technology that sits on a server, but we would have a very large distributed set up. Almost like Bitcoin using blockchain?
Dr. Neil: Yeah. It has to be a set of distributed ledgers that capture the different aspects of what we're all doing.
Markus: Blockchain would mean it's trustworthy. It's not changed and so on. It's not fake. But how do you give it authority in the first place?
Dr. Neil: You'd have authorities in the ledger. The Australian government or Hawaiian state government are examples of such authorities. Or you may have the department of driving, or you may have hospitals with certain authorities. You can specify what authorities they have in order to be able to carry out certain actions. Or to be able to add something to the chain or to your ledger saying, “this is Markus and yes, this is his driving license as issued by Hawaiian driving.”
Markus: There would be other entities that would have the ability to add or allow you to add to it and sign it in some way to know it's actually for real.
Dr. Neil: Yes. And you could do all of this with certificates, as well. Let's say that I have an certificate issued to me and Markus says “oh, I trust what Neil says about a member of staff who used to work with Neil” and I've signed something and validated that the person was a good developer and worked with me and I really enjoyed it and I've signed it. There are a lot of these kinds of things that start to become super interesting. We'd have to get to a point where we could enable people to really carry identities in a digital form. Right now, that probably means on their phones. You'd carry your identity with you wherever you go and be able to share different aspects of it on different systems with different people.
Markus: Do you envision that will be a completely new blockchain, or could it reuse something like an Ethereum blockchain?
Dr. Neil: There are lots of different projects afoot right now. And if anyone's interested, they can go and look them up, but there is one based on Ethereum. There's one based on what you might call the “Bitcoin blockchain.” Microsoft has a research project called “Ion” that's kicked off.
I think what needs to happen, to be of real value, is it needs to be disconnected from coin. The problem with the ones that are connected to coin, in my view, is that then it becomes a pay-for-use scenario. Obviously, they're motivated by coin-spending. In order to validate someone to sign something, or to do something of that kind of activity, you pay a price. I'm not sure that's correct. I don't necessarily believe you can scale that. If you were going to have hundreds of millions of transactions happening every minute on the Internet, does it makes sense that there's a coin value attached to every single time someone logs onto a website to do online shopping? I think that the future of it needs to be disconnected from any coin-based blockchain and needs to be independent. There are a few already starting to pop up that are doing this.
Markus: It makes total sense. There's no reason why a blockchain would need to be coupled to a coin.
Dr. Neil: The ones that have coin were quite quick to adopt it because they already have the infrastructure.
Markus: You could just use an Ethereum-based blockchain for this.
Dr. Neil: Exactly. You don't need to have coin attached to it, but of course the platforms require payment because they're a business of some sort. They're looking for ways to gain revenue out of this.
Markus: Who would be the clearing house for that? Or who provides the API so companies like Adobe could integrate into that? If you're talking about entities like Microsoft or Google, now we're almost back to a blockchain-based version of Microsoft Passport.
Dr. Neil: I think there are two aspects to it. You just brought up two completely different terms. One was “clearing house” and then “APIs.” I think the whole point of this is that there's no clearing house anymore. Everybody acts as their own clearing house to a certain degree. You validate what you want to have shared from your ledger with other people. You are the person who owns your identity. The API is a different aspect. I'm sure that over time, this would evolve and there will be Microsoft APIs and Google APIs and Amazon APIs for ledger-based identity or certificate-based identity or however it ends up being mushed together. But I think the concept of a clearing house is what disappears as part of this.
I'm not convinced that we're taking the right route in trying to lock everything down.
I think there's a whole other aspect of this identity security conversation. It's probably controversial, but I'm not convinced that we're taking the right route in trying to lock everything down. The concept of privacy in the modern world is quite a modern concept. If you think about us as ancient human beings living in small tribes, there wasn't really a concept of privacy. I'd know exactly who you were sleeping with and what you were eating, because there are only 37 of us in the tribe. [laughs] The concept of privacy in a tribal world is kind of bizarre, actually. A lot of cultures never even contemplated privacy as a thing that was a right or even desirable. Everyone knew what everyone else was up to and you knew straight away that the guy over there is a jerk because it was obvious because everything was out in the open.
You still see this a little bit in cultures that have small communities. I was kind of shocked about this the first time I went to countries like Finland. I went to Helsinki and was amazed at just how safe it was. I used to joke that in a park in Helsinki, you could put your laptop down, go for a walk for 10 minutes, get your coffee, walk back, and your laptop would still be there. I remember once asking a Finnish person about it and she said, “yeah, absolutely.” Because if so-and-so steals your laptop, everyone in the whole town knows it was him by tomorrow.
Anonymity removes accountability and the online world has pushed that to the extreme.
Markus: Anonymity removes accountability and the online world has pushed that to the extreme.
Dr. Neil: Yeah. The online world has created this extra level of anonymous behavior and anonymous activity. And maybe the solution is to get rid of all of that and make everything incredibly transparent.
Markus: But then doesn't that go counter to your security-driven development?
Dr. Neil: Absolutely! [laughs] That's why I think it's interesting! Because I think there are two ends to this scale. You either go to everything being totally locked down or you go to nothing being locked down. It's the in-between that we're stuck in that's so troublesome.
Markus: Then perhaps we should put everyone's behavior into a blockchain. You can look up all the bad stuff someone did. You know, Big Brother to the max!
Dr. Neil: You're not the first to suggest this. [laughs] Some people would say this is highly restrictive. You're now observing my every behavior. What are you doing wrong that you don't want to be observed? And you have to ask: “why do you need to be anonymous if you're not taking bad action?” Are you embarrassed by your activities? You don't want to let people know that you went to that website. Well, why did you go to their website? Maybe you should think about that a little bit more and not go to that website. Let's, for the sake of the conversation, say it's a gambling website. I know that wasn't what you were thinking. [laughs] So maybe you shouldn't have gone to that gambling website. If you're embarrassed about going to that gambling website, you should have thought about that a little bit harder.
Markus: That's true. On the other hand, it could also be a completely different matter. Maybe you're a person in the public eye and you don't want everyone to know about your family life. You take your kids to a certain school and you don't necessarily want everybody to know where your kids are at all points in time in order to protect them. Then it takes on a little bit of a different dimension.
If you are an amateur money launderer, shall we say,…
Dr. Neil: It does. Except if you know where all the stalkers are all the time, then maybe that's less of a problem. [laughs]
What I'm saying is that I think if you really want to solve this, you either go all the way to absolute maximum security. Everything is locked down and nobody really knows who anybody is. Or you go all the way to complete transparency, where there is nothing hidden at all. Then if I want to know where someone was at some point in time, it's there. It's the in-between that we have the problems with, where some people are more anonymous than others. And some people's activity is more hidden than other people's activity. I think that's where a lot of these challenges start. Well, how is he allowed to be secret about it? I'm not secret about it.
I think just the same with money laundering. Like if you're an amateur money launder, shall we say. And I know this because I used to work…
Markus: ...as a money launderer? [laughs]
Dr. Neil: [laughs].
Markus: Where do we go with this? We may be going somewhere that you don't want the world to know. [laughs]
Dr. Neil: [laughs].I used to work in financial surveillance. I used to look for bad patterns of behavior and movements of money. There are some interesting things that you learn when you do that. One of them is that people who know what they're doing are never going to get caught. The people who generally get caught for doing silly things with not paying taxes or whatever, are people who don't understand what the rules are or don't understand in general. So what I'm really saying is if you're good at hiding it, you can hide it.
That means it's different rules for different people. What I'm saying is if you went to complete transparency, you break all that down. We're dealing with this right now. We're dealing with it here in Australia and you've been dealing with it in the US. We have the same problem here in Australia where we have a very high percentage of indigenous people locked up in prisons compared to the overall percentage of the population. There's clearly something broken with that. I think that's partly because of the lack of transparency in the whole system. You can look at this almost throughout the entire world. In some places it's a little less so and somewhere it's a little more so, but we're certainly seeing something that's a systemic problem worldwide and hopefully we're seeing a change. Something will have to change there.
Markus: That's actually a very interesting philosophical discussion.
Dr. Neil: Yes! I am not sure how fitting this is for an RD column, but it's super interesting. The society that we live in globally is built on the history that made it how it is. We have to accept that part of history involved some pretty horrible things. Like slavery, like genocide, like the capture of countries that didn't belong to the conquerors. Let's face it: The British empire was created because they had guns and the other people didn't. We have to really understand how we got to this point before we can come to solutions.
This goes all the way back to Roman society. It's not hugely surprising that a lot of legal systems around the world are based, at some level, on Roman law. That's because the Romans worked out legal mechanisms that justified their ability to build an empire, take over countries, capture people, turn them into slaves, give them mechanisms to become free, have earnouts. These are all concepts that are intrinsic to our behavior and our society. So yes, this is not an easy “let's turn this switch over to six and we'll be fixed” type of situation.
Markus: This is a pretty heavy conversation for a coding magazine.
Dr. Neil: (laughs) It is. It's something that needs to be discussed everywhere. Nothing can change until we see what's happening, whether it's in our code or our society.
Markus: True. Thanks for meeting with me. I'll be seeing you online or at a conference sometime.
Dr. Neil: It was fun. Thanks!
Note: This is Part 2 of a two-part article. The first part can be found here: https://codemag.com/article/2009091