Feb 24, 2023
Examining a utopian IT environment...until it wasn't.
The first season of the science fiction series Westworld follows the events of a futuristic amusement park, where visitors interact with lifelike robots set in a Wild-west theme. The park's host androids begin to develop consciousness and memories, leading to a power struggle between humans and AI.
While highly regarded and entertaining, the show’s prophetic take on employee and customer experiences using technology and identities within the park sparked my interest in the show.
Much like Star Trek inspired so many different technologies and inventions back in the 60s, I bet that the 2016 remake of Westworld is doing the same today for IT Pros.
Let’s explore this fascinating world of computer user experience.
Employee’s frictionless experience
Straight away, the viewer notices the bespoke, foldable tablet-like devices used as their primary tool - it can be used in a phone format, a traditional tablet, or at times, employees can pair up or dock the device with kiosk-type workstations for more dedicated use.
Applications are performant and local to the device. There is no latency when issuing commands or receiving information. Telecommunications are built into the interface and seamless with the main application.
The technicians have augmented reality (AR) glasses to present information within the line of sight of their focus.
The voice commands issued by the employees to systems and hosts are some of the most inspiring aspects of the show. Until the recent emergence of ChatGPT, I’d have thought we would be decades away from this becoming a reality, but we could see these capabilities much sooner than we all think.
In essence, the Westworld IT pros created a user experience akin to the builders' relationship with their hammers: It is all easy to use and works.
Security
What we didn’t see from a security perspective made this so enjoyable. Not a password or MFA-type token was seen in sight. The employee’s tablets were not only the means of access to systems and hosts, but they also seamlessly incorporated authentication.
Though you only saw it once in a blink-and-you’ll-miss-it scene, one of the characters placed their fingerprint on somebody else's tablet to authenticate and elevate authorization for an application. It was a relatively simple gesture and, at first glance, not as secure as one may wish for (Single-factor authentication?).
As other scenes had employees picking up tablets without this gesture, there was probably much more behind the curtain based on behavioral biometrics. The tablet may have registered unique employee physical attributes, like body temperature, heart rate, voice recognition, and body movements. Or these were recorded by another wearable device, like a watch, and transmitted to the tablet. Maybe security cameras outside the camera angle read what the employees were doing, seeing them holding a tablet device and using AI/ML processes to tie all the circumstances together to authenticate and unlock the devices, much like Amazon Go’s cashier-less store technology. One can only imagine the privacy implications of something this far-reaching!
In any case, to tie these concepts to the traditional MFA that many think of today, the possession of the device (something they have), employee attributes (something you are), plus other things like location (somewhere you are) were used for this frictionless, non-intrusive MFA which many enterprises fail at today.
In season one, nobody celebrated hacking a firewall or a host (a first in modern-day sci-fi?). One could assume this world did away with firewalls altogether and perhaps relied upon zero-trust principles, like those published by NIST. Maybe it is an entirely closed-off ecosystem, except for the train bringing the guests into the park. Whichever the case, I’m hoping further seasons give a closer look at how cybersecurity and access are handled.
Role-based access control (RBAC) featured heavily in discussions, QA employees have different access than Programming, Operations, and Livestock management divisions. Nobody needs to “request” access from a helpdesk or gets frustrated that they don’t have access to things they should. It all just works.
The employees, hosts, and guests all had access to the same host interface through voice commands, and the advanced use of RBAC meant each persona only had access to the things that they were meant to have. For instance, the admins and technicians had rights to read-only entertainment-type interaction.
Dedicated tools feature heavily and make environments secure by nature. No generalized internet access, email, office, or PDF documents exist. The closed nature of the employees' toolsets limits the attack surface.
Identity concepts
Westworld’s use of identities was crucial to the park's success regarding access, control, and the frictionless experience mentioned above.
All interactions with the host were with the same 5-sense interface that humans have, regardless of who the user was (employee, technician, park guest, or even robotic animal).
From the guests' perspective, gathering likes, dislikes, turn-ons, etc., set them up for an enjoyable and individualized experience from the hosts.
Technicians and other employee roles had greater control over the hosts and could access restricted diagnostic modes. Host access was limited to acting out their storylines and limited improvisation. They could not maim or kill any other host or role except those designated in the story.
The granular role and attributes designated to each resource, employee, and guest worked as a business enabler for the park, allowing full control and visibility, therefore ensuring a safe and engaging customer experience. These same concepts are reflected in many enterprises' goals with their digital transformations and work on digital twins today.
Where does it go all wrong?
Like many science fiction stories, security failures enable story arcs or the entire storyline to occur - Westworld is no exception. Unchecked code from the park’s director causes erratic host behavior. Major host behavior modifications that were not alerted upon, data exfiltrated through unchecked communications channels, manipulation of logs, and lastly, employees and hosts operating outside of their role’s parameters going unchecked without generating alerts.
One might think that a zero-trust approach to security may have prevented many of those failures and allowed the company to retain control of the park. Unfortunately (or fortunately for the viewer?!), the failures allowed the protagonist park director to have free reign and, to avoid spoilers, I’ll just say, resulting in an explosive conclusion.
Will life imitate art?
Westworld shows us that a resourced IT organization implementing modern security principles and identity concepts can create a truly frictionless and (mostly 😀) secure operating environment. Though it takes place in 2058, a sizable portion of the displayed user environment can be replicated by enterprises today. The show's creators extrapolated modern technology several decades out to show a possible version of what a superior computing environment could look like, so their depictions are not that far-fetched. As for the life-like androids that claim sentience and personal rights, that’s a topic for another time (decade).
What to read next
What Star Wars can teach us about zero trust
Zero trust, as explained by a pirate (with help from ChatGPT)
Recommended