Know Thy Customer
The Wall Street Journal European Edition of 14 February 2013 reports that the EEOC (Equal Employment Opportunity Commission) in the USA issued guidance that businesses should in effect hire more (former) criminals. Employers should not allow a history of criminal conviction to unduly influence them when it comes to hiring. If two people are very similarly qualified, employers should not simply rule out one because of a past criminal history. The article reports that the EEOC commenced in 2010 (a lawsuit) against G4S Secure Solutions after the company refused to hire a twice-convicted Pennsylvania thief as a security guard. G4S provides guards for nuclear power plants, chemical plants, government buildings and other sensitive sites.
This story can be viewed through many lenses, of course. For me, it is fundamentally about identity, and the predominant yet often underestimated, underappreciated role identity plays in both the 'real' and virtual worlds. It is worth mentioning at the outset that by 'identity' I mean who a person actually is--the sum of their actions and their character, not simply their (alleged) attributes, such as name, address and date of birth.
In a recent thoughtful blog post, my colleague Aljosa Pasic mentions the famous dog cartoon of 1993, where one dog sitting at an online PC says to a dog sitting beside him, 'On the Internet no one knows you're a dog'. That this graphic was published in 1993 is remarkable--not only was the identity problem known back then, it hasn't really improved all that much, particularly when you consider how much else has been revolutionized since that year.
Jump ahead to today, and identity is more important than ever. Cloud computing, with its lack of perimeters, cannot be secured by the 'old' techniques, such as firewalls which depend upon notions of walls and barriers in order to function. With data potentially on the move, with infrastructure that is virtualized rather than 'big iron', the old perimeter-centric security appears to no longer apply. So some are suggesting that 'identity is the new perimeter'--a sentiment I agree with entirely, except for the word 'new'.
Identity has always been, and will always be, the most fundamental 'perimeter.'
More and more with regard to the cloud, we hear about the 'identity problem' and variations upon that theme. Vendors will say, Cloud users need to improve their identity management, and How can I know who is accessing my data (the latter expressing both authentication and authorization issues). I agree--but this may make people feel that the identity management problem is solved in non-cloud environments, or that identity and authentication are new problems.
Cloud or not, nothing is so fundamental or ‘atomic' to IT security as identity (and its closely associated concepts such as authentication, identification and authorization). But because the world of IT security and compliance are in an almost constant state of flux, it is easy to lose sight of what really matters or to 'miss the wood for the trees'. The internet is fundamentally an anonymous placeand was not designed as a secure platform --the fact that it typically fails to posit a trustable identity must be considered one of its premiere weaknesses. .
Much, though certainly not all, of today's security functionality is deployed because identification and authentication tend to be so weak. Passwords provide a bare minimum level of security and, in many cases, no real information about an individual is required to visit a web site. Because so many online visitors are anonymous, a lot of security infrastructure needs to be erected to attempt to block unwanted behavior performed by strangers. If somehow I could separate out the 'good strangers' from the 'bad strangers', I wouldn't need quite so much security infrastructure or security managers. I’d apportion my effort towards the unknown parties.
Consider this: when credit card data is stolen, it isn't due to a mathematical prodigy decrypting the data. It is because someone has logged into a crucial server with a stolen or guessed password. The stolen password and the fake identity are the real culprits behind even the most sophisticated hacks.In the well publicized and highly sophisticated RSA SecurID attack, a theft that sounds like it was lifted whole from a Mission Impossible movie, key elements of the attack were simply down to 'fake identities'--for example, an email that appeared to come from Beyond.com actually came from hackers. Had, in a magical, hypothetical universe, some kind of ‘x-ray’ vision revealed that the actual composer of the email was a hacker based in China, the rest of the attack would never have started.
The target of the RSA attack was, interestingly enough, not RSA but Lockheed Martin, and the data they used in the authentication process itself.The hackers hoped to impersonate a Lockheed Martin employee by using stolen SecurID data in order to get to highly confidential military secrets. That the hackers needed to breach one company in order to hack into another, and that a military company used an RSA product, shows us that actually RSA’s technology is not at fault, nor their people—it simply points up again how dedicated and sophisticated today’s hackers are, even when faced with an obstacle as sturdy and well-regarded as RSA’s. Returning to Mission Impossible, this isn't a case of a person pulling off a mask to reveal their true identity--they're pulling off two masks, one used for RSA, and one used for the ultimate target, Lockheed Martin.
Lockheed Martin is hardly alone—there isn’t enough space here to list the number of hacks that use stolen credentials and false identities as a key step in an intrusion. Perhaps the scale of the problem is best exemplified by the mere existence of the web site www.shouldichangemypassword.com which alleges to determine if one of your email accounts is among the many that have been hacked. This cite also lists hundreds of enterprises and agencies that have allegedly had their password database compromised in some way.
If we regard the situation from a hacker's perspective, the more information about you made available, the more 'identifiers' you have on Facebook and Linked In (to name but two rich sources of identity information) the easier the hacker's job becomes, the easier it is for the hacker to masquerade as you, or to send you customized attachments with unhappy payloads. Long ago I noted a contradiction in people. They would put highly personal, even confidential information on Facebook for all to see, they would tweet that they were off to Hawaii for two weeks (ie, their house would be empty for two weeks) yet would simultaneously complain that ‘the government’ is engaged in all manner of conspiracies to steal their identity and get at confidential information. Apparently all ‘the government’ needs to do to get private information about you is to not ban Facebook.
We're seeing now that online financial services (among others) are beginning to understand the importance of authentication and identity. A few years ago my bank only required that I supply a user name and password to authenticate myself. Now, perhaps because so much value is transacted online, and because identity and credential theft are so prominent, financial institutions are demanding more than a simple username and password be used to prove 'you are you'. Many banks today will authenticate client devices so that if you attempt to log in from a 'fresh' device, you'll need to authenticate via a code sent to a previously registered and verified SMS or email account to prove that it really is you logging in. Other online services firms may require different kinds of authentication--for example, by answering a question no hacker would know the answer to (assuming the answer wasn’t available on your Facebook page—ie, where did you go to high school?), in addition to providing your password.
Another yet different example of authentication: my bank will only permit significant funds transfers if I enter into the web page the PIN I receive from the bank via SMS. All of the above measures improve the degree of confidence that the bank has that they are 'really dealing with me'--that is, they involve authentication, proving that ‘you are you’, and without unduly burdening privacy.
Financial institutions are hardly alone. Google is proposing "ring finger authentication" where one small ring around your finger could theoretically contain encrypted, highly secure passwords for all of your email accounts, files and bank accounts. Although some may think this is yet another marketing ploy, it actually feels to me like google understands what is at stake.
Today's IT and security managers face a daunting task in trying to keep up with the constant change in the IT, security and compliance spaces. My view is that a good place to start when considering security improvements is with an identity-centric approach. Before engaging in a years-long seven-figure overhaul, consider whether or not improving identification and authentication might not improve matters. Cloud or no cloud, the more confidence you have in the identity of your users and customers, the better off you will be.