Machine Learning Authors: Yeshim Deniz, Zakia Bouachraoui, Pat Romanski, Elizabeth White, Liz McMillan

Blog Feed Post

Overcoming the Equation: Security = Friction


Why does security have to be so onerous? Is this password secure enough: Mxyzptlk? Wait, that might be vulnerable to a comic book dictionary attack (bonus points for Superman fans), so let’s add some numbers and special characters: M4xyZ!ptL#K. Not bad, but suppose policy requires 12 or more characters; we have to pad the password: 0M4xyZ!9ptL#K. Now that’s secure – good luck remembering it!

We’ve migrated to a userid-password society; as we’ve added layers of security, we password-protect each layer: PC (and now device), network, enclave, application, database, and storage (encryption). Don’t use the same password for everything, because if the bad guys crack one, they own you. We’re not done yet, though – badges for physical access, PKI, USB keys, SmartCards, soft certs, biometrics, Network Access Control, firewalls, IPS/IDS, SIEM … I could go on and on. As you try to simplify the user experience and reduce friction, the cost for security goes up. Userids and passwords are almost free. It’s much easier to use biometrics or a SmartCard to identify yourself to a system or application. However, those solutions require fingerprint readers, better encryption, key management programs, and card provisioning systems, which also translates to more people needed to manage the security infrastructure. A telling example is the Department of Defense and its approach to mobile security. After investing in deployment of secure physical and cyber access via the Common Access Card (CAC), it made sense to leverage that investment in the mobile realm. However, to use CAC with an Apple iPhone, you need to buy a sled – an iPhone case with integrated card reader. The solution works well, however the sled costs more than the iPhone!

Instituting secure computing behavior can be ingrained, but it has to be built into both policies and culture. Working in secure government spaces for over 30 years, I lock my computer screen at home whenever I step away, have a strong password on my WiFi network, encrypt sensitive personal data, and have mirrored hard drives in my Network Attached Storage (NAS) device. However, that behavior is somewhat “old school” and the product of a very focused environment. Today’s computing culture is characterized by instant-on, always on, and always connected. Anything that slows you down, like having to enter a PIN to unlock your phone, is friction.

Can we overcome the friction of security? There are some attempts to improve usability, with an accompanying decrease in the strength of secure solutions. Referring back to the CAC, and SmartCards in general, the National Institute of Standards and Technology (NIST) has published a draft of Special Publication (SP) 800-157, “Guidelines for Derived Personal Identity Verification (PIV) Credentials.”

Instead of dealing with the additional cost and usability issues of a sled, you can derive a credential from the original cert that resides on your CAC or PIV card. That derived credential is transferred to a mobile device’s internal storage or microSD card, and can be used to authenticate an individual to an organization’s resources. The derived credential isn’t as strong as the original because it’s cryptographically removed from the cert that was vetted and checked through a strict, formal process. However, the derived credential has less friction.

I’ll use another mobility example here, just because computing is becoming more and more portable as devices incorporate improved and additional capabilities. The primary method for protecting your device against tampering today is password or PIN. No one likes having to enter that PIN – it takes an extra 2-3 seconds of focused attention. Definitely not instant access! Plus it’s another password to remember (if you happen to have separate passwords to access accounts of different sensitivity)! So Apple came up with Touch ID on their iPhone 5s. Once you register a fingerprint, it’s a simple touch to the main button to unlock your device. Less friction equals better user experience while providing a better level of security.

There are other innovative solutions coming to market that embrace the idea of frictionless security. The main concept is to leverage big data to determine the unique identity of an individual based on his or her behavior. Over time, our use of devices and network resources will form a pattern; no two people should have the same behavioral patterns. One company that’s developed this approach is ThreatMetrix.

Their two-factor authentication solution consists of a unique device ID and the big data pattern associated with it. The solution is intriguing – if my behavior can be proven to uniquely identify me (what ThreatMetrix calls a Persona ID), then my access and interaction with network resources could be frictionless.

Relating back to my previous blogs on continuous monitoring and the IoT, this frictionless security will become even more important in the near future. Today, you log into work accounts (network, financial, remote access, personnel, maybe more) and home accounts (WiFi, shopping, travel, financial, social networks, definitely more) with at least userid/password, and possibly something more secure (two-factor, multi-factor). Imagine having to do the same for your refrigerator, thermostat, home security system, and automobile. As more computing devices and sensors become integrated in our daily lives, security becomes even more critical in protecting our privacy and safety. We have to develop security methods that are easy to use, yet provide sufficient protections to keep us safe. The equation needs to be Modern Security = Frictionless.

This post first appeared on George Romas’ HP Blog


Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

CloudEXPO Stories
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or personal computing needs.
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by researching target group and involving users in the designing process.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to advisory roles at startups. He has worked extensively on monetization, SAAS, IoT, ecosystems, partnerships and accelerating growth in new business initiatives.
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like "How is my application doing" but no idea how to get a proper answer.
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed by some of the world's largest financial institutions. The company develops and applies innovative machine-learning technologies to big data to predict financial, economic, and world events. The team is a group of passionate technologists, mathematicians, data scientists and programmers in Silicon Valley with over 100 patents to their names. Big Data Federation was incorporated in 2015 and is ...