“We are all little brothers”

In 1949, George Orwell published 1984, a classic tale of government oppression of ideas and freedoms, characterized by loss of privacy on a massive scale.  The famous quote ‘Big Brother is watching you’ warns the citizens that little they do in their private lives will escape the scrutiny of the totalitarian regime.

Fast forward to 2007: Canada’s Privacy Commissioner, Jennifer Soddart, is raising the alarm on privacy.  Ubiquitous cameras and video recorders, combined with an increasingly cavalier attitude about what can be posted online, are undermining our privacy in ways even Mr. Orwell couldn’t have imagined.

Says Ms. Stoddart: “It’s not just Big Brother who’s akin to a government watching you in the Orewllian dystopia.  We’re all little brothers.  We’re all fascinated with the gadgets that allow you to do this.”

Are we all little brothers, immaturely wandering our neighborhoods, snapping pictures of whatever catches our eye and posting it to Flickr within minutes?  Are all the little brothers out there taking hours of video, hoping for something scandalous to happen so it can be captured and posted to YouTube for all to see?

And while 1984’s Winston Smith was fearful of the Ministry of Truth, in today’s world should we be wary of each other?


Managing tough security projects

For most of the past four years, I’ve found myself in project management positions on security projects.  The work has included managing technical and business teams as they integrated applications into an enterprise Identity and Access Management solution.

These projects have been among the most difficult I’ve had to manage with most of the challenges came from managing multiple teams.  On each of these projects, successful delivery of the work required cooperation from multiple disciplines: business analysts, software developers, infrastructure guys, core integrators, vendors, security analysts and privacy analysts.  On the larger projects (e.g. gov’t healthcare or education) there were up to seven teams involved, often from three or four different organizations.  And, of course, each organization had its own project sponsor and senior management teams to please…

Perhaps enterprise IAM is unique in terms of implementation complexity.  The client organization (government) certainly was complex, and the public-facing nature of the IAM solution required care in planning and execution.  The technology we chose was complicated and new.  The solution was highly distributed.  Our vendors over-committed and, frankly, under delivered.

I found that it was critical to focus on delivery and manage that delivery formally.  For those projects where we used this approach, we were successful.  For others, well, the results eventually were produced but not without hardship and delay…


Bingo Cards

In a couple of previous posts I was pointing out the types of convergent solutions possible with smart cards and USB tokens.  These were reviewed on a project I was involved in that assessed a number of other strong authentication solutions.

One of these other technologies was Entrust IdentityGuard.  This access solution has a number of features and capabilities, including low cost fob-style tokens, USB tokens, SMS, machine-based and ‘grid authentication’.  This last solution type, grid authentication, uses paper cards with codes printed in rows and columns like bingo cards.

The primary advantages of grid authentication are low cost and ease of provisioning.  Bingo cards are included in the price of the license (approx. $9/user per year) and can be distributed via mail or courier — or even fax or email if receipt can be assured.  For companies with large numbers of users, bingo cards offer a significant cost saving — not just because of the cards are cheap but also due to the flexibility of distribution options.

The downside with bingo cards is that they are less secure than alternatives (such a fobs) as the three digits used in the solution are obviously fewer than most random OTP solutions.  The cards can also be photocopied which exposes the solution to unique threats.

Bingo cards can work well for business-to-business applications where the frequency of use is low to moderate, and the level of data sensitivity is considered moderate.


Out-of-band better?

Identity Blogger has an interesting post today on how HSBC is moving towards ‘out of band’ 2-factor authentication to improve the overall security of its banking services.  The bank wants to reduce the risks by having the customer enter their one time PIN over a phone channel.

The main risk is that of a compromised PC being used to enter the PIN, as it would with RSA, Secure Computing, Entrust or most other solutions.  But hasn’t the trojan already got the easy secret, the password, and will it now only get the one-time password?  How is that improving the overall security for the session?  I suppose it assures HSBC that the second factor is collected on a ‘secure’ channel, thereby proving the use is who they claim they are…

Problem: I think my daughter, after much over-the-shoulder surfing, has my password figured out.  Last I checked she answers the phone in our house.  Fast forward a few years when she’s short on cash and going out for the evening (and perhaps not the angel she is today…) — does this proposed solution by HSBC now not make it easier for her to gain access to my account?

Of course, the main use case for HSBC would be two-factor for large value commercial transactions, so my teen-age scenario may not apply.  But surely those that are interested in gaining access to such a commercial account can be just as cunning as a 14 year old…


Privacy and the customer

I attended a rather good security and privacy conference earlier this year in Victoria, BC, and one of the presenters made some very interesting observations on privacy.  David Skillicorn from Queen’s University presented ‘Businesses, Customers and Relationship’

 There are some real insights in this material and if you get a chance to see this fellow’s presentation in person, don’t miss it.  Here are some of the more interesting ideas that Mr. Skillicorn offered up:

1. Privacy is new, it didn’t existing until the last century or so.  In fact, while privacy is now considered a right in most societies, throughout human history it barely even existed as a concept.

2. Consumers get better product and service offerings when a company knows something about them.  Product offerings can be tailored, discounts offered.  What information would you give up to get a $10 off grocery coupon?

3. Consumers consider companies to be ‘friends’ and want to develop long-lasting relationships (really!).  Trust plays a significant role in whether this relationship continues, and privacy breaches can effectively destroy that trust.  A growing number of data breaches is proving this to be true — one estimate I heard at the conference was that a mis-handled data breach could cause a company to lose 20 to 25% of its customers!

He summarized by saying that businesses need to understand that while data is very easy to collect from their customers, the company’s data use and protection policies must be strong to ensure future breaches of trust do not occur.  This, in theory, should drive more responsible data mining and data management practices.

My guess is that it will take some time before quarterly-results-obsessed marketers come to this realization.  As a result, the frequency and severity of data breaches will increase in the next few years…


Combining security responsibilities

Many clients and more than one IT security ‘expert’ have told me that there are few differences between the processes and organizational constructs of IT security and physical security.  Both are concerned with protecting the company from bad guys, whether their assaults be on the ground or on the wire. 

Is this true?  It would seem that the jury is still out – while I know one company where this has been implemented, many others are still managing IT and physical security as separate groups.

Both CSO Online and Computer World have written about this topic, and the issues seem to be related to cultural and pay.  IT culture is experimental and dynamic, whereas traditional security takes a more conservative approach.  And because salaries for employees in IT shops can be quite a bit higher than those paid for physical security staff, there is a risk of staff conflict if these groups are combined.

But there are many opportunities to share process and management efforts.  Identity proofing process are (or should be) virtually the same.  Authentication/access devices can be combined and managed together.  Monitoring of IT and physical security feeds can be made more efficient.  And a single point of contact (CSO) – with easy information sharing – can reduce impacts of breaches and false alarms.  All these add up to big cost savings, improved efficiency and improved security.

Do the benefits out-weigh the difficulties of merging and then managing all security staff as a single unit?


Convergence is the prize…

I mentioned in the last post that we recently reviewed hardware and software that could work well for solutions that converged authentication, building access and (potentially) entitlements.  Two stood out from the rest: HID Crescendo cards and Aladdin’s USB eTokens.

Building access cards are ubiquitous in companies that have secured buildings and offices.  HID Corp. are the defacto building access solution (at least around here) and many large companies have a significant investment in HID products.  The Crescendo card has two proximity anttenae and a smart chip for storing digital certificates or other data.  In our project, we were able to (quite easily) prove that the card would gain access to our building, and provide strong authentication during network login.  Other potential uses include:

  • Preboot authentication
  • Storage of entitlements, e-cash or other pre-payment data
  • Employee picture ID card
  • Disk encryption

Aladdin’s USB eToken has similar capabilities, albeit in a different form factor.  We proved that it can provide strong authentication to Windows using Aladdin’s replacement login utility.  It can support all the same features as the HID solution — yes, even a proximity component for building access is possible — except, obviously, the picture ID.

The point of this post isn’t to promote these products — there are others that can produce the same results — but rather to illustrate how technology can support convergence use cases.  Users don’t want a card for building access, another for picture ID, a fob for network access and a USB for pre-boot authentication. 

Convergence of these capabilities into a single form-factor should be the goal for the simple reason that it increases acceptance of the IT security solution being implemented.  Greater acceptance = higher usage and better security.


Strong Authentication – and convergence

Recently, I had a mid-sized municipal government ask us to help them discover different technologies for strong authentication.  The great part about this project was that they were very keen to find out how the actual products worked – as a result we were immersed in gadgets and slick software for over two months.

The purpose of the project wasn’t to pick a solution or prepare requirements for a future tender.  Rather it was to enable the client to experiment with different solutions – and to validate the claims of assorted strong authentication vendors.  Another interesting aspect of this work was the inclusion of physical building access and transit entitlements, with the goal of uncovering what convergence options there were for this family of technology.

We had a solid lineup of vendors on our test bed: Entrust, Secure Computing, HID, Aladdin and RF Ideas.  Operating systems included Microsoft Server 2003 and Red Hat Linux.  We looked at USB tokens, fobs, grid cards, SMS messaging, proximity cards, smart cards and combination cards.  Much fun was had…

Over the next few weeks I’ll share some of the learnings of this project, but the first finding was this: Authentication, physical access and entitlement technologies can be converged into single solutions. 


Who are you? Part two

When we work with clients on identity proofing designs, it is surprising how difficult it is to establish parallels between real world identities and electronic identities.  In some cases, the physical identity process is considered sacred, one that cannot be modified or added to for the purposes of adding an e-business identity.   Government and private sector alike struggle to align these two similar — same? — processes.

In other cases, we are asking clients about confirming identity for the first time — they simply don’t have existing business processes to properly validate the user when conducting business.  They haven’t considered formal process in this area because the need for serving up sensitive information is so new.  And they recognize that developing this process will cross organizational boundaries and create disruption at a business level (after all, this isn’t a technology issue).

Identity proofing is a critical issue in identity management and it needs to be carefully designed to ensure that users are appropriately identified before they are allowed access to sensitive information. 
Bottom line: Identity proofing for electronic identities is fundamentally the same as identity proofing in the real world.  In other words, proving you are who you are is the same regardless of how you conduct business!