Blog posts by Mike Small
Identity Management – Process or Technology?
One line of thinking has been that the major cause of identity theft and data loss is poor process and that strengthening the process is the key approach. Strong processes are indeed required but a strong process can be undermined by a weakness in technology.
The electronic identity of someone depends upon the process for managing that establishing that identity. Even biometrics depends upon the identity of the person being confirmed through a process or paper trail.
However the mechanism for proving the identity (authentication) needs to be chosen according to the risk. Traditionally this risk was fixed by the circumstances under which the identity is used – for example to access email internally. A password is cheap but relatively weak; however stronger forms like smart cards are expensive. The RSA SecureID was a nice compromise.
Wrongly assessing the risk or choosing the wrong technology undermines the process. The recent closure of the European Carbon Trading Market is an example of what happens when this goes wrong. Most operations at Europe’s 30 registries for greenhouse-gas emissions were suspended on Jan. 19 after a Czech trader reviewing his $9 million account found “nothing was there.” The EU estimates permits worth as many as 29 million Euros ($39 million) may be missing. Was this process or technology?
Now that systems are regularly accessed via the internet, for example by mobile employees or adoption of the Cloud, a more resilient technology is needed. An emerging solution to this is “versatile authentication” – where multiple factors like: the location of the request, the time, the value of the transaction, are taken into account. A versatile approach can be quickly reconfigured to take account of a new vulnerability to demand further proof of identity.
During the 1980 and 1990 the value of sharing information through “Groupware” was very high and the need for security was downgraded. The normal access mechanism implemented in most environments is called “Discretionary Access Control” or DAC. In this – if you have legitimate access to some information – you have discretion over what you do with it. You can copy it, print it e-mail it etc. This makes it easy for someone who has access to steal or misuse information. During the 1970 a stronger form of access control was invented called “Mandatory Access Control” or DAC. In this data is tagged so that only people authorized to access it are able to, and it is not possible for one person to copy the data to give it to another unauthorised person. This approach has now been reinvented under the name of Data Loss Prevention and Digital Rights Management technology.
Many organizations have poor processes for identifying valuable information and poor technology to prevent that information from leaking. See the recent example of a former Goldman Sachs programmer who stole key intellectual property. http://www.bloomberg.com/news/2011-03-16/ex-goldman-programmer-aleynikov-s-conviction-is-upheld-by-trial-judge.html
Abuse of Privilege
The infrastructure upon which cloud computing is built needs to be managed and maintained. To perform these tasks the servers, platforms and applications need powerful administrator accounts. These accounts are used by the Cloud Service provider to perform essential administration, yet they represent a potential risk because they allow powerful actions which include: bypassing normal access controls to read application data and changing or erasing entries in the system log. Managing the identity of these administrators is a critical issue for information security in the Cloud.
Distributed systems technology has an inherent weakness - the privileged accounts. Many organizations do not have process in place to compensate for this. See the recent example of an administrator who held the City of San Francisco to ransom. http://www.pcworld.com/businesscenter/article/148469/it_admin_locks_up_san_franciscos_network.html
Privilege Management (PxM) technology is an emerging solution to manage this weakness.
Bottom line - strong process always needs to be backed by good technology. Many of the technologies in use today have significant weaknesses and vendors need to work to remove these.
Last week I had the privilege of attending a seminar at which Peter Hustinx, the EU Privacy Commissioner outlined the future approach on personal data protection in the European Union. This approach includes “a right to be forgotten” as well as mandatory data breach reporting.
Given that the WikiLeaks website has recently released 2.5 million documents that were supposedly “private” reports by US embassies - you might ask “what does privacy mean?” Well privacy in this context is more narrowly defined to be privacy of personal information.
In the EU privacy is based on the European Convention on Human Rights, article 8 of this convention guarantees a right to privacy:
- Everyone has the right for his private and family life, his home and his correspondence.
- There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
15 years ago the EU led the world in the area of privacy legislation, however rapid technological developments and globalisation have profoundly changed the world around us, and brought new challenges for the protection of personal data. To meet these challenges, in early November, the EU published a document describing the direction for privacy and data protection. This document contains the following introductory paragraph:
“Today technology allows individuals to share information about their behaviour and preferences easily and make it publicly and globally available on an unprecedented scale. Social networking sites, with hundreds of millions of members spread across the globe, are perhaps the most obvious, but not the only, example of this phenomenon. ‘Cloud computing’ - i.e., Internet-based computing whereby software, shared resources and information are on remote servers (‘in the cloud’) could also pose challenges to data protection, as it may involve the loss of individuals' control over their potentially sensitive information when they store their data with programs hosted on someone else's hardware. A recent study confirmed that there seems to be a convergence of views – of Data Protection Authorities, business associations and consumers' organisations – that risks to privacy and the protection of personal data associated with online activity are increasing.”
The strategy sets out proposals on how to modernise the EU framework for data protection rules through a series of key goals:
- Strengthening individuals rights (Directive 95/46/EC) so that the collection and use of personal data is limited to the minimum necessary. To improve the notion of informed consent, to consider mandatory breach notification (like for e-Privacy Directive 2002/58/EC (amended by Directive 2009/136/EC) which applies to Telecommunication providers. To provide a “right to be forgotten” when their data is no longer needed or they want their data to be deleted.
- Enhancing the internal market dimension. Data Protection in the EU has a strong internal market dimension, i.e., the need to ensure the free flow of personal data between Member States within the internal market. As a consequence, the Directive’s harmonisation of national data protection laws is not limited to minimal harmonisation but amounts to harmonisation that is generally complete.
- Revising the data protection rules in the area of police and judicial cooperation in criminal matters. There is a need to have a ‘comprehensive protection scheme’ and to strengthen the EU's stance in protecting the personal data of the individual in the context of all EU policies, including law enforcement and crime prevention.
- The global dimension of data protection. Clarifying and simplifying the rules for international data transfers. Data processing is globalised and calls for the development of universal principles for the protection of individuals with regard to the processing of personal data.
So what does this all mean for organizations and individuals? There is no doubt that mandatory data breach notification will focus the minds of organizations on the security of their IT systems. Much has been made of theft of data by cyber criminals, however while this is important, misuse of data by insiders is also a significant problem. I would expect to see an increased interest in “Data Leak Prevention” technology which can control the transmission of data based on its content and encryption to control access to data which gets “lost”.
From the perspective of individuals – the direction does little to protect people from themselves. The person using a social networking site remains at liberty to give away personal information about themselves – even to their own detriment, as has been illustrated by many recent news stories. They can also send ill judged messages that are publicly visible using Twitter – which have on occasions led to criminal convictions. Perhaps the “right to be forgotten” could include these classes of data?
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]