Thomas Koehler,
Cassidian CyberSecurity

Thomas Koehler is the CEO of the Cassidian CyberSecurity entity in Germany and Chief Strategy Officer of CyberSecurity Division. Thomas Koehler has more than 17 years of experience in growing industry-leading technology companies. He served as Country Manager at SafeNet Inc. and VeriSign for Germany, Austria and Switzerland. At Microsoft Germany, he served as the Director of Information Security Strategy and Communication. Before joining the Cassidian CyberSecurity leadership team he was the German Head of Public Sector at RSA, The Security Division of EMC2. Recognized as an authority on Security Awareness, Governance Risk & Compliance (GRC), Identity Management and Information Security, he has extensive strategy and innovation experience focusing on business mission-critical security programs for the Defense-, Public- and Private Sector.

Understanding the identity universe and the threat landscape it faces in cyberspace

Today, to world is facing multiple complex transitions at the same time. The Internet is the key driver in many aspects, while the availability of broadband networks are irresistible. With them The Internet of Things is expected to result in an explosion of digital identities to unprecedented levels. Consequently, decision makers globally, are looking to establish an interdisciplinary dialog to build the level of required trust for the Cyber World, looking at methodologies to drive convergence between ID and security. ID people met with Thomas Koehler, CEO of the Cassidian CyberSecurity, to discuss the paradox of trusted IDs in an untrusted CyberSpace.

With the availability of broadband networks and the emergence of the Internet of Things, how can the challenge of protecting high levels of digital identities in terms of security in an untrusted environment, be addressed?

First of all we need to understand the identity universe and the mix of identity types, the threat landscape and the criticality of the different identity thefts schemes. Unfortunately, the most used Online service authentication mechanism is still the ‘username and password’ one. For example, the compromise of my free online email account due to an identity theft Trojan has generally spoken a less critical impact – even it is quite embarrassing if some is sending wrong intended emails to my network.

However, it would be a complete different story if my hacked email account is being used to distribute also malware and exploits, which have the capabilities to take over the control of the laptop or tablet PC of my friends, which are subsequently being added to a Botnet in order to conduct a large scale attack against a critical infrastructure provider. Of course, this rather simple example could be extended with numerous more complex one, whereby social networks are being misused to deliver download links of Trojans, malware and exploits. These examples are showing the necessity to develop a more holistic approach to protect digital identities in the future. One promising approach is the ‘Identity and Access Intelligence’, which could be integrated into a broader cyber security strategy.

What does it mean for decision makers in both public and private sectors around the world in terms of secure data handling and computer network defense to protect vital assets?

It goes without saying that the public disclosed large scale attacks against government and corporations, during the last two years, have forced decision makers to rethink their security strategy. It has become clear, why the convergence of identity-, security- and risk management is important. Decision makers are fully aware that only an integrated security policy enforcement approach will increase the resilience against cyber-attacks.

However, the budgets and resources are limited to support the implementation of these enhanced solutions timely. Hence, it is necessary to foster a Governance Risk & Compliance initiative in order to get a comprehensive view about the actual risk and to prioritize the cyber security investments accordantly.

When building required trust for the Cyber World, what methodologies are required to drive convergence between identity management and cyber security?

Trust requires transparency. The necessary transparency into systems, infrastructures, applications, networks and services could be achieved through an enterprise Governance, Risk and Compliance (eGRC) initiative. The results of an efficient eGRC methodology, covering the Identity & Access – and the Cyber Security Governance, will support a better information based decisions and lead subsequently to a higher trust level. The key objective for trust building activities within the Cyber World requires that we are able to understand our risks and increase our ability to mitigate them more timely.

There are multiple technologies that exist for physically securing the identities of people and objects. How can these be interoperable as secure credentialing becomes the norm for transacting online?

The Interoperability between hardware based token like a smart cards and software tokens is mandatory to drive a higher level of trust for online transactions. They are promising scenarios. For instance, let presume you already have an eID card, which has been enabled for certain online transaction in your country. In order to use it you must have installed certain software and drivers. So far, so good. But now, you would like to use the eID for other services, which are not enabled for it. Furthermore, the online service provider is not based in your home country and has no plans to enable his services for the national eID scheme, because of economical reason. That is, where the federated identity concept could help.

There could be a trusted identity provider or identity clearing house, which would be the intermediary to provide the interoperability and trust between the national eID scheme and the online service provider schema. But to make this happen, the industry needs to solve the disputes on liability assignment for authentication failures to concerns over privacy.

As the growing wave of information also needs to be shared across emergency services or security agencies, how can cyber security solutions work together seamlessly and similarly, should public and private sectors join forces to evolve cyber defenses?

There is no doubt that the strategic success factor to increase the global cyber defense is based on secure collaboration between public and private sector. The enablement of secure collaboration requires governance and a clear scope regarding the policy requirement.

Good examples of secure collaboration are for instance the Transglobal Secure Collaboration Program (TSCP). The TSCP enables major government departments and agencies as well as defense and aerospace manufacturers and systems integrators around the world to work together securely.

How do successful breaches of large infrastructure providers such as public and private utilities impact on commerce?

Indeed, this type of attacks are the most critical ones, as they might be also the most damaging ones due to perceived shortages of critical supply chain inventory items – i.e. energy supply.

It underlines what I have said before, that the establishment of a holistic Governance, Risk and Compliance initiative is required to become more agile in mitigating high risks against critical supply chains.

Following a cyber-attack, are there levels of resilience which can come into play in order to maintain operations, but also recover and develop new defense techniques?

The complexity of cyberattacks is significant, which means that a point solution will not have the capabilities to handle the attack. The socalled APT (Advanced Persistent Threat) requires that we are using more innovative methodologies in order to understand the threat actors and the threat vector comprehensively. The only way forward is to change from the ‘late detection mode’ to an ‘anticipated detection mode’. This means, that the cyber-defense strategy must address the concept to implement countermeasures faster than their known adversaries will evolve. In fact, the knowledge of previous successful breaches must be carefully analyzed and put into cyber-attack simulation models enabling the anticipation of different scenarios.