Ecosystem Security: Protection through collaboration

Solving security issues you can’t tackle yourself, or hire a vendor to do it for you.

As Director of the Ecosystem Security team at PayPal, I’m often asked what we do. Basically, the team was founded by Michael Barrett in 2009 with the understanding that there are security issues that can only be addressed as a community. Essentially, we recognize there are security gaps that can’t be filled by a company on its own, or hiring a vendor to lock them down for you. With that in mind, the mission of the team is to tackle Internet security issues with a mix of technical standards along with industry and regulatory policies. To accomplish such a lofty goal, each member of the highly experienced team is either a lead, co-author, or close collaborator on world-changing specifications that make the Internet safer for everyone (not just PayPal customers).

Technology

Some of the technical specifications we’ve helped to create include:

• Content Security Policy (CSP) — A policy layer added to web pages that specify authorized sources for embedded content.
• HTTP Strict Transport Security (HSTS) — A declarative to browsers that content must only be served via secured resources.
• Domain-based Message Authentication, Reporting, & Conformance (DMARC) — An email authentication and reporting mechanism that prevents domain spoofing.
• Fast Identity Online (FIDO) — A technology that replaces passwords with a method of privacy-respecting, scalable online authentication.
• Web Authentication (WebAuthN) — An API that enables web pages to invoke stronger authentication (e.g. FIDO).

Research

An important aspect of security is continual research in order to stay ahead of malicious actors. We lead or partner with other organizations in order to test assumptions and explore new ideas. DMARC, for example, started as a research project in conjunction with Yahoo in which we tested various combinations of email authentication technologies in order to shut down spoofed domain attacks. To determine the the effectiveness of visual trust indicators, we partnered with Seznam to run A/B tests across their entire set of users. The team also set up an Advanced Security Lab in conjunction with Singapore University that was initially tasked with running TLS 1.3 through it’s paces in order to identify weaknesses (and how they can be exploited). After determining the technical limitations of dynamic DH key exchanges, the team is refocusing on new areas for exploration.

Organizations

We often work within various organizations such as the IETF, W3C, M3AAWG, APWG, and OASIS. We will also stand up entirely new organizations when necessary to support their development and adoption (e.g. Fido Alliance, DMARC.org). And when others on the team shoulder the deep subject matter expertise, I play the role of a flywheel to keep the work moving from conception all the way through to adoption. Also, as was the case with DMARC and FIDO, we’ve played an operational role in conjunction with the technical deployment teams.

Regulatory Policies

To ensure a thorough understanding of and reliance on effective technologies, we also engage with various regulatory organizations. For example, we’ve worked with the US National Institute of Standards and Technology (NIST), the HMRC in the UK (the equivalent to the US IRS), the National Cyber Security Alliance (NCSA), and the Global Cyber Alliance (GCA). While the Ecosystem Security team doesn’t typically engage directly with governments, we often provide guidance to those who do. The end result is that we’ve seen positive changes in legislation, policies, and regulations when those crafting them are well informed about the technical details of our work.

What’s with the logo?

Beyond the questions about the Ecosystem Security concept itself, the next question is often about the logo I made for the team. The multiple arms are meant to symbolize the complex interconnections between all the different aspects of the Internet ecosystem. And the dual-colored shield represents the non-uniform nature of the defenses that are required. Whenever I develop a new project, I typically work on a logo to help build team cohesion and tie everything together. In this case, it has served us well for nearly five years.

Global Impact

Overall, I’ve been incredibly impressed with our impact on users of the Internet. Through the work of the team, everyone using a web browser or sending email can feel more confident that their online interactions are secured. We’re also incredibly humbled by the impact our small team has had on the world. Over 2 billion people are demonstrably safer due to the technologies we’ve developed. We’re looking forward to expanding on our work and continuing to develop global security technologies for decades to come!