How to utilise the unlikely similarity between smallpox and security. TEISS: Cracking Cyber Security.
Mike Kiser, Security Evangelist at SailPoint, explores how modelling medical epidemics, such as Smallpox, can help companies strengthen their identity and security practises. The Bernoulli Principle provides an illustration of this comparison.
Smallpox is one of the deadliest diseases in all of human history. If you contracted Smallpox in the 18th century, you would have a 1 in 3 chance of dying within 16 days. In the 20th century alone, it killed over 500 million people. Fortunately, it’s also the only infectious disease among humans that has been successfully eradicated.
Daniel Bernoulli published the first epidemiological model in 1760. He attempted to prove the effectiveness of immunisation against Smallpox. He demonstrated that life expectancy increased in the general population. As a result, he introduced the use of epidemiological models to address the spread of malaria, AIDS, SARS, measles and cholera.
Bernoulli’s model provided three benefits related to the spread of disease. Firstly, the model created an understanding of the mechanism of transmission. It also gave a prediction of the future expansion of infection. Thirdly, arguably most importantly, it introduced control over the spread of the disease.
When combined with a network-graph representation of identity, a machine-trained model can provide similar results related to the spread of identity and its related access. In short, applying epidemiological concepts to identity holds great promise for innovation.
Just as smallpox was communicated from patient to patient, access to sensitive data often spreads like a disease inside communities of identities. By understanding how access is transferred from “patient zeros” to the surrounding community, it is possible to begin to predict which identities will soon accumulate access. Then, inoculation-type tactics can try and be discovered to restrict the spread of unnecessary access.
By analysing these “infection patterns,” the machine-trained model can provide recommendations for governing identity, enhancing decision-making and educating human users. It can also deliver guidance for pairing machine learning and human learning in a “virtuous loop.”
Over time, routine approvals or revocation of access could be completely automated. This allows humans to focus solely on difficult boundary cases, accelerating overall productivity for securing identity. By “inoculating” communities against the spread of access, risk to enterprises and the community at large is reduced.
However, the road to eliminate smallpox was not a short one. The World Health Organisation declared the disease eradicated in 1979, several centuries after Bernoulli’s work began. This followed extensive worldwide campaigns to encourage awareness and vaccination. Similarly, an improved cybersecurity stance of organisations today requires every employee to be aware of the risks. They should think ‘security first’.
Whilst developing protection amongst the general population, this allows IT teams to target problem areas or new platforms. This should make the launch of recertification campaigns – which validate identities – more effective. They become less of a burden on the organisation’s workforce as a whole, with only those requiring attention being recertified.
There are times, however, when this model should be used to promote the spread of identity rather than to restrict it, especially when it comes to the ‘infectiousness’ of identity itself. Initiatives such as ID2020 are endeavouring to ensure that underserved groups are not left behind by the promise of digital transformation.
By granting underserved individuals with identities, they allow them to access health care, voting rights and obtain education. They can otherwise reap the benefits of what are assumed as basic human rights.
For example, UK FinTech firm Monzo has started an initiative to help people who have lost their official identity markers regain their footing in society. This is through easing the path to obtaining a bank account – the gateway to being recognised by organisations such as housing associations, employers and mobile phone companies.
More than this, the epidemic model could be used to examine how underprivileged communities adopt identity. They also seek to remove inhibitors to its acceptance, and accelerate its adoption in communities worldwide.
What Bernoulli began in 1760 still finds its expression today: modelling the real world with the end goal of improving the quality of human life. From within the organisation to as societies as a whole, we all rely on identity to help us go about our daily lives. As we seek to innovate in his footsteps, we have no doubt that he would be using the same techniques and ideas were he around today.