Friday, December 20, 2013

IT security predictions 2014

It's prediction season again and I've written a piece for CSO Australia.

Here's how it starts...
"2013 was the year of Edward Snowden and the NSA spying revelations. We also faced a deluge of data breaches with an increasingly large amount of information compromised. The emerging trends that appeared on the radar in 2012 such as Cloud, Mobility, Social and Big Data became key challenges for organisations in 2013. These will continue to be important in 2014, but what will they evolve into? What other things do we need to consider?"

Click through to the article for the predictions. Got an opinion? Comment or Tweet me.

Monday, November 18, 2013

Social identities are becoming our online driver’s licence

Note: This is a companion blog post to an article I wrote earlier this year for CSO Australia. The original essay was too long for an online publication, so I split it up into 2 related, but independent pieces.

For the generation that assumes a priori that the Internet is a tangible, more-essential-than-oxygen component of the air, social networks have become the digital manifestation of their identities as people. Most use each social network for a specific purpose. For example, Facebook content is typically personal and LinkedIn content is almost always professional. Where possible, we try to confine their use within our subconscious boundaries, but they invariably bleed into each other through porous walls. Nevertheless, each is a persona; a one dimensional representation of our real selves.

While online, much of our significant actions require some form of identification: a licence that says enough about us as unique individuals. While we don’t need a driver’s licence to walk along a road, we do need one to drive along it. Similarly, to do anything of significance online, we need to prove who we are to varying degrees; we need a licence that says enough about ourselves to be allowed to perform certain activities.

A majority of our individual activities both online and off can be divided into two categories: transactions and interactions. We transact with retailers, financial institutions and governments. We interact with friends, family, colleagues, employers and government institutions. There are exceptions to these, but a majority of what we do conforms to this model.

The word “transact” in this sense is not always tied to financial activities. Anything that has a negative real-life impact when fraud is committed can be deemed as transactional. In life, our identity matters when we transact and interact with retailers, financial institutions, governments and other people. There is however, a distinct difference in the acceptable forms of identity when comparing transactional activities and interactions which is tied to risk. It is why certain organisations will accept your Facebook account as proof of identity, but others will not.

Appropriate use of social identities

The key to understanding appropriate use for social identities is context. In real life, activities that require proper identification such as a passport or driver’s licence are transactional.

If you analyse the scenarios you are familiar with in dealing with retailers, financial institutions and governments, you will quickly realise that for anything we classify as an interaction, using social identifiers for access is sufficient. For transactions, they are not.

In the Information Security world, this is known as using the appropriate Level of Assurance (LOA) for the appropriate context. A higher LOA is required for transactions than interactions. The progression to a higher LOA is typically achieved using multi-factor authentication. If you’ve ever received a code on your mobile phone immediately after your username and password has been accepted and asked to enter it into a site before it allows you access, you have used multi-factor authentication. The SMS code sent to your mobile phone increases your LOA.

In situations where social identities play a part in the authentication process, they are best used as first level of authentication. As a “lightweight” identity, this provides the personalisation we psychologically crave and the added usability organisations would like to provide. The fact that personalisation provides additional insight to organisations is a bonus for them. When the interactions verge on being transactional, the LOA needs to be raised using either a second factor or a stronger form of identification. In real life, this is best demonstrated by the fact that a driver’s licence is sufficient for entry to a bar but a passport is required to cross international borders.

Excessive collection of personal information

A major concern regarding the use of social identities as a login mechanism relates to the amount of sensitive personal information stored within social networks. Using your Facebook account to login to another site does not necessarily give it access to your Facebook account (e.g. to make updates). More commonly, the login process involves sharing an amount of information about yourself that the site requires.

The word “requires” is used loosely here. Far too often sites ask for more information than they actually need because they can. We have become so accustomed that we accept it as the norm. Bad data collection practices have trained us into accepting additional risk as a condition for using the Internet. In reality, most sites really only need a way to contact you (e.g. email) and perhaps your name. Put simply, a site should only ask for the information it needs for you to complete your tasks.

The breach the Australian Broadcasting Corporation’s website suffered earlier this year is a perfect recent example of data collection misuse. The information stolen included easily cracked hashed passwords and personal details about each person that the website did not need. When we give up our information to an organisation, we almost never have control over anything that happens to it after the fact.

This is something that the Kantara Initiative is attempting to address through its User Managed Access (UMA) work group and the associated UMA protocol. But until this or something like it is mandated across sites that store information about individuals, it is extremely difficult to address the lack of control we have over our personal details and their proliferation.

Note (not part of original blog post): I strongly suggest checking out Ian Glazer's "Big P Privacy in the Era of Small Things" video if you are interested in exploring and understanding this topic in more depth.

Potential benefit of social identities

Social networks have the potential to reduce the number of places that our information is stored. In addition, they can potentially become the gatekeepers to our information. Imagine if the interaction between a social network and another site included the obligation to delete our information upon request by the social network using a protocol like UMA? Better still, what if it required that the information used be transient and disappears when our session with the site in question ends? Nothing actually gets stored.

In fact, some social networks enforce this today, although this is used more as a defensive tactic to reduce the likelihood that a partner site becomes a competitor by replicating all their user data than a way to protect the information for the benefit of users. Sites that do not conform to the policy are unceremoniously prevented from being able to interact with the social network in any way.

There are benefits to be had for the sites accepting social identities as logins too. Studies have shown that user drop-off rates decrease because users no longer have to fill in forms to access the site. Data storage costs drop as a result and for organisations that do not want to be front page news for losing user data, this risk is no longer present.

A driver’s licence is not a passport

We began by referencing the generation of digital natives driving the assimilation of our digital and physical lives. They influence online innovation today through their demands and expectations. They are the demographic many businesses target. As a result, their behaviour shapes the evolution of the online world and by extension, the real world.

The rest of us have to begrudgingly adapt to a reality being built for them. Like it or not, social identities are becoming the Internet’s driver’s licence of choice. However, social identities are not our online passports. The world is not ready for that reality. And unless social networks start vetting people like banks do, that reality is unlikely to ever be achieved.

Monday, November 04, 2013

Gain RELIEF with future proof security

I wrote an article for SCMagazine that was published in late October. Unfortunately, since more than 7 days have passed, it now sits behind a registration wall (which I believe is free, but still requires effort on your part). It was originally titled: "Holistic security heals your cloud and mobility symptoms", but the editor decided the current one worked better.

For those that don't feel like registering to read the article, the RELIEF acronym in the title spells out:

  • Resources – What are you trying to protect? This is almost always going to be information. Often, IT departments classify the applications housing information as resources, but without the information, applications do not need to be protected. The classification of data needs to be considered here as this has a bearing on access control policies.
  • Entry – How is each resource accessed? Through an application? Database? As a text file on a file server? Do the access control policies and enforcement mechanisms cover all the combinations and can they be easily managed? Where are the blind spots? Where is access not enforced?
  • Locations and time – Where are these resources located? On-premise? In the cloud? Where are resources accessed from? Can people access a resource when they are outside the office? When can they access these resources?
  • Identity – Who is accessing corporate resources? Can access be tied back to a single individual or is the audit trail ambiguous? Can you enforce access based on who the person is? Are the monitoring mechanisms able to understand identities?
  • Exit – How can information leave the organisation? What are the allowable circumstances and combinations where this can happen? Can this be enforced or at the very least monitored? Are there blind spots?
  • Flow – How does information move between entry and exit points? What about all the points inbetween? Is the flow of information completely auditable and enforceable at all touch points?


Thursday, September 19, 2013

Authentication debate fuelled by Apple Touch ID is in itself a game changer

FIRE 01
There's a good debate on ZDNet between John Fontana and David Braue around the issue of whether Apple's Touch ID is a game changer. I've spoken to, discussed things with and read stuff written by both these guys, so I can vouch for the fact they know what they are on about, which is why I'm sort of fence sitting in the context of their actual debate. But if someone shook the fence I'm currently sitting on vigorously and I assume the question was framed around Touch ID in its current form (or rather, how it will be when the iPhone 5s is released in a few days), I'd probably fall onto the side that John's on.

John makes 2 really great points that I wholeheartedly agree with:
"Currently, Touch ID has no way for the enterprise to tap the technology into their identity and access management systems."
and
"...without an SDK, developers that made the App Store explode won't be able to lift a finger to raise Apple's security profile above a whimper."
He's right. But I believe Apple will eventually allow developers to hook into Touch ID, albeit indirectly. Apple does not build things into their devices without a long-term strategy for them.

Those of us in the IT security field are paid to be paranoid and sceptical, so I can understand how security professionals are not jumping on the Apple fanboy bandwagon. Interestingly enough, many are closet Apple fanboys when not doing their day jobs. One thing we all struggle with however, is getting people to actually care about security, let alone openly debate it.

While I don't believe that Touch ID in its current form is a game changer, the fact that Touch ID's lit the fire under the authentication debate is. That is something only companies like Apple can do.

While it may seem self-serving to quote myself, that's exactly what I'm going to do. I said in my previous blog post:
"...it will take at least one well-known brand with a significant amount of consumer influence to fork-lift-point us down the non-password oriented identification path."
Apple's done that. If you read some of David's arguments in the debate, he's actually projecting potential future applications of Touch ID, not features it will have upon initial release:
"MDM tools are all about adding a layer of control to distant mobile devices, and fingerprints are a readily available way for distant users to prove their identity."
and
"Better API access would allow developers to use fingerprints anywhere they now require user ID-and-password combinations."
Sitting firmly perched back on my fence, I agree with John that Touch ID in its current form is not a game changer. But I agree with David that Touch ID's potential, with the Apple juggernaut behind it, is.

At the very least, the fact that authentication has become a hotly debatable topic in the mainstream is the actual, indisputable game changer that Apple's managed to fuel with the introduction of Touch ID. As an added bonus, if your day job is to sell security internally to C-level decision makers, here's a potential way in to start those security conversations. Remember to leave the propeller hat behind in your desk drawer.

Thursday, September 12, 2013

Usable identification - the key to a world without passwords


Consumer devices offer the best vehicle in bringing non-password based authentication mechanisms to the mainstream much the same way social networks have brought identity federation to the masses. It is the best shot we have of eventually killing passwords off for good. If that day comes, passwords will more than likely be replaced by a combination of biometric and token-based mechanisms.

The inevitable rise of wearable computing in addition to the ubiquity of smart phones will result in an abundance of options (compared to a world before smart phones) in available tokens to use as part of the identification dance known as authentication.

Signing on to a site using your social network is not commonly referred to as identity federation; that's what security people call it. But it works because it's usable, although this is at the expense of some security. Social identities help consumers clear the security hurdle to the point where the word "security" doesn't rate a mention during the authentication and/or registration process. Social networks however, still use passwords.

Passwords on their own are insecure. In the absence of other ways to identify ourselves (i.e. multi-factor authentication), a lot of damage can be done to our digital lives that are difficult to recover from. Also, let's not forget about the number of hacks suffered by multiple sites that included leaked passwords. But they remain because the username and password combination is a design pattern we have been trained to understand and accept. Because we have been conditioned this way, passwords are inherently usable. Therein lies the challenge in moving past them.

Good authentication practices have always included multiple factors. In other words, passwords on their own just won't do. In addition to usability, cost is almost always a prohibiting factor. It costs an organisation a lot of money to procure the hardware required to support authentication mechanisms beyond passwords. Wouldn't it be nice if consumers had tokens they could use that were as secure as these expensive ones organisations currently have to buy?

Some organisations have weighed the risks against costs and decided that SMS tokens are good enough to be considered as an acceptable second factor beyond passwords. If you've looked into this, you know SMS messages are not actually that secure. But for a lot of scenarios, they are "good enough" when combined with the primary password. If organisations want to move beyond this however, it gets very expensive.

It took well-known brands with a significant amount of consumer influence (e.g. Facebook, Twitter, LinkedIn) to bring identity federation to the masses. Similarly, it will take at least one well-known brand with a significant amount of consumer influence to fork-lift-point us down the non-password oriented identification path.

In the case of authentication however, there is the cost consideration that was not present in the consumer identity federation equation. How can we put stronger authentication factors in the hands of consumers in a cost effective manner? Ideally, we would make consumers buy these tokens, but who would want to do that just for a bit of extra security and a more disjointed user experience? Enter large, well-known consumer brand with the requisite influence.

Apple, the king of making technology usable is that organisation. Their announcement yesterday of the Touch ID fingerprint sensor on the iPhone 5s is the latest (and loudest) in a recent spate of devices that have the potential in helping achieve the right balance of usability, cost and security at scale. Rich Mogull's article on TidBITS is the best one I've read if you want to understand some of the security aspects.

Beyond Cupertino, there are a few recent developments that will hopefully be caught up in the Apple authentication snowball that is rolling down security mountain:
  • Nymi is a device which wraps around our wrist and uses our unique cardiac rhythm to authenticate and identify us to things around us. There are unknowns around how or if this will actually work, including some more knowledgable about cardiac rhythms than I, who remain sceptical. Dave Kearns however, is a little more enthusiastic, as are most other people on Twitter. I for one, hope it actually works because the potential scenarios are interesting, exciting even.
  • Let's not forget about the impending barrage of smart watch releases over the next year, starting with Samsung's Galaxy Gear. Apple of course, has also been working on the rumoured iWatch. Even car manufacturers like Nissan are clamouring to wrap themselves around our wrists. While smart watches aren't inherently security devices, they are effectively another token that could be used in the authentication process. For example, the fact that a smart watch is mine and is paired with my smart phone (or car in the case of Nissan) at the point of identification (authentication) gives the system identifying me a level of assurance that I am who I claim to be.

As with any new technology, there are potential security implications that need to be analysed and I'm sure this will be done by many when the devices are made available to the general public. But Apple Touch ID, Nymi, smart watch manufacturers and other wearable devices we have yet to hear about have the potential to make security invisible.

Security is the enemy of usability. Studies have shown that when presented with a secure option or an easy option to perform a task, people almost always choose the easy option. The trick is to make the easy option also the secure option. The devices mentioned aim to make our lives better. The fact that they have the potential to make our lives easier while improving security is exciting.

Here's to a future where we don't need passwords, but can stay secure while remaining blissfully ignorant of that fact.

Saturday, July 27, 2013

Securing the hybrid cloud

The following is an excerpt from an article I just wrote for Business Spectator Australia's technology section.
Securing a hybrid cloud model requires a mindset shift from traditional IT security approaches. Analyst firm Forrester uses their Zero Trust model to illustrate the fact that IT security can no longer trust activities occurring internally within the walls of the organisation. Security is about verifying everything that occurs and organisations have to inherently assume an insecure state and react quickly as a security incident occurs.
Check out the rest of it here.

Friday, July 12, 2013

Identity foundation

You wouldn't believe how often I still have to explain Identity & Access Management (IAM) basics to people. Or maybe you do because you feel like a broken record each time you do it. So I created this to help explain it to someone who knows nothing about what comes second nature to those of us in the security game.

Note: This is a GIF so if you're viewing this through something that doesn't render GIF files properly, it's going to look like an absolute mess. Also, unless you have a magnifying glass handy, I suggest clicking on the image for a slightly larger version.


Friday, May 10, 2013

Login to the real world with your Facebook account

The following is an excerpt from an article I just wrote for CSO Australia.
Ultimately, context is the key to understanding the appropriate use of social identities. While we may be happy browsing a retailer’s website logged in with our Facebook account for a personalised experience, we are not going to be making the payment with it. Organisations that get the balance right while understanding appropriate use and context can begin their social-enablement journey with their eyes open.
Check out the rest of it here.