Discover PerformanceHP Software's community for IT leaders // January 2013
Security's new identity crisis
An HP Labs researcher looks at an under-addressed aspect of virtual interactions: our highly fractured online identities create security risks at the personal and enterprise levels.
It’s clear that our continued use of mobile devices in the workplace will keep BYOD atop the CISO’s worry list in 2013 (as Robert Richardson notes in this issue), but there are other, more subtle costs to our heavy reliance on connectivity, ubiquity, and the cloud. Steven Simske, an HP Fellow in security printing and imaging for HP Labs, says sticking to the status quo in identity management is creating looming risks for individuals and enterprises alike. Read the highlights from our interview below.
Q: What are the top issues that security leaders must be thinking about in 2013?
Steven Simske: There are two classes of issues here: the no-surprise ones, and the more subtle ones that people may not have recognized as a big deal yet.
For the no-surprise issues, BYOD is huge. Who is keeping the data, where is it traveling, how safe are the credentials—passwords, certificates, keys, etc.? Also, synchronization is still in its infancy. I have 10 Internet-accessing devices at home, and counting. No two devices show the same set of emails, let alone backed-up data. I still therefore have a different set of data associated with each device.
Among the more subtle issues, though, identity management is a mess. The traditional on-ramp of possession + knowledge + identity—for example, having a card, its access code, and a camera or other biometric reader—has been replaced by a dizzying mixture of passwords, automatic logins, secret questions, etc. The whole fabric can easily unravel, and identity theft is easier simply because of this hugely increased security threat surface.
Q: How does it unravel?
SS: People have multiple passwords, multiple email accounts, and multiple online accounts. If a fraudulent entity has access to just one of those, he or she can start to break down all of the other ones through the forgotten passwords feature, by having passwords mailed to the one email that they have access to. And in some cases you can spoof people’s accounts, or [call up customer service] and have information handed over on the phone.
People don’t realize that all these instruments are connected. If you’ve got a situation in which you only need one fact to be able to counterfeit the identity of that person, that’s a very significant problem.
Q: Have people lost sight of the importance of privacy?
SS: There’s this pervasive narcissism that stimulates people to put more and more information about themselves online, to get positive feedback. And convenience is also a huge thing. People come online and say, “Well, I want to see what’s local.” And rather than exploring or finding out things the old-fashioned way, by asking people, they use location-based services. All of those GPS traces are being kept, and so somebody can find out very quickly where you are, when you are, and, really, from that, who you are.
It used to be if people wanted privacy, they could employ a lot of extra security mechanisms. Now, there is generally not an additional security mechanism, so if you want privacy, you may have to move yourself into an untenable, neo-Luddite position where you have to turn off technology that is pervasive. And because the technology is pervasive, it expects you to give up your location and compromise your privacy. It’s a catch-22. It forces us to adapt to the technology; the technology does not adapt to us.
Q: So how does this put enterprise data at risk?
SS: People get used to the social Internet tools and the new ways to share and communicate information. So all of the content that once would have passed through an intranet, or in a LAN inside the enterprise firewall, is being shared instead between individuals for sheer convenience.
The surface threat is so much larger than it was before, and that makes it difficult to track and investigate the source of intrusions. Before, you could say, “OK, the data is on a workstation, let’s kill the hard drive,” or “the data is on a floppy, so let’s find and kill the floppy.” Now, I don’t know where my enterprise data is.
The way people post business documents using Dropbox is a good example. I don’t know where the cloud is that is backing up that Dropbox: it could be in Pasadena, or it could be in Bangalore, or anywhere else in the world. It can be hacked in so many different ways that it’s very difficult for me to find out where it went wrong. It could be a Dropbox employee, it could be somebody who’s monitoring the data, it could be my own corporate IT department, because they see it passing through.
Q: Do companies have to come up with their own solutions to these problems? What are the best practices?
SS: A spider web is a very good model. When an insect flies into a web, anywhere it goes, it puts a reverberation in there that will alert the spider right away. You want to have something in place that, if it hits any part of your identity system, it reverberates throughout the organization so you can be aware of it.
For example, if someone is logged into a financial account, and all of a sudden they start doing something that is really anomalous behavior that is deleterious to the account, the person should have to leave a voice instruction along with that or provide additional authentication. People aren’t doing that right now; it’s more reactive than proactive.
Q: Is one of the solutions better training of employees about identity/privacy issues?
SS: It’s important for people to understand what’s going on, but also it’s important for you to be using a tiered approach to security—multiple security insurance mechanisms. People are still going to hack through your defenses, but if that person had to have your card, your password, and some other form of your identity, that really narrows the suspect list down and allows us to much more quickly perform our investigation and react. And that’s the important part of this.
To learn how HP’s approach to security intelligence tackles identity issues and other rising threats to the enterprise, check out Security and Risk Management at HP Enterprise Security.