Machine Learning Authors: Zakia Bouachraoui, Liz McMillan, Roger Strukhoff, Pat Romanski, Carmen Gonzalez

Blog Feed Post

Overcoming the Equation: Security = Friction


Why does security have to be so onerous? Is this password secure enough: Mxyzptlk? Wait, that might be vulnerable to a comic book dictionary attack (bonus points for Superman fans), so let’s add some numbers and special characters: M4xyZ!ptL#K. Not bad, but suppose policy requires 12 or more characters; we have to pad the password: 0M4xyZ!9ptL#K. Now that’s secure – good luck remembering it!

We’ve migrated to a userid-password society; as we’ve added layers of security, we password-protect each layer: PC (and now device), network, enclave, application, database, and storage (encryption). Don’t use the same password for everything, because if the bad guys crack one, they own you. We’re not done yet, though – badges for physical access, PKI, USB keys, SmartCards, soft certs, biometrics, Network Access Control, firewalls, IPS/IDS, SIEM … I could go on and on. As you try to simplify the user experience and reduce friction, the cost for security goes up. Userids and passwords are almost free. It’s much easier to use biometrics or a SmartCard to identify yourself to a system or application. However, those solutions require fingerprint readers, better encryption, key management programs, and card provisioning systems, which also translates to more people needed to manage the security infrastructure. A telling example is the Department of Defense and its approach to mobile security. After investing in deployment of secure physical and cyber access via the Common Access Card (CAC), it made sense to leverage that investment in the mobile realm. However, to use CAC with an Apple iPhone, you need to buy a sled – an iPhone case with integrated card reader. The solution works well, however the sled costs more than the iPhone!

Instituting secure computing behavior can be ingrained, but it has to be built into both policies and culture. Working in secure government spaces for over 30 years, I lock my computer screen at home whenever I step away, have a strong password on my WiFi network, encrypt sensitive personal data, and have mirrored hard drives in my Network Attached Storage (NAS) device. However, that behavior is somewhat “old school” and the product of a very focused environment. Today’s computing culture is characterized by instant-on, always on, and always connected. Anything that slows you down, like having to enter a PIN to unlock your phone, is friction.

Can we overcome the friction of security? There are some attempts to improve usability, with an accompanying decrease in the strength of secure solutions. Referring back to the CAC, and SmartCards in general, the National Institute of Standards and Technology (NIST) has published a draft of Special Publication (SP) 800-157, “Guidelines for Derived Personal Identity Verification (PIV) Credentials.”

Instead of dealing with the additional cost and usability issues of a sled, you can derive a credential from the original cert that resides on your CAC or PIV card. That derived credential is transferred to a mobile device’s internal storage or microSD card, and can be used to authenticate an individual to an organization’s resources. The derived credential isn’t as strong as the original because it’s cryptographically removed from the cert that was vetted and checked through a strict, formal process. However, the derived credential has less friction.

I’ll use another mobility example here, just because computing is becoming more and more portable as devices incorporate improved and additional capabilities. The primary method for protecting your device against tampering today is password or PIN. No one likes having to enter that PIN – it takes an extra 2-3 seconds of focused attention. Definitely not instant access! Plus it’s another password to remember (if you happen to have separate passwords to access accounts of different sensitivity)! So Apple came up with Touch ID on their iPhone 5s. Once you register a fingerprint, it’s a simple touch to the main button to unlock your device. Less friction equals better user experience while providing a better level of security.

There are other innovative solutions coming to market that embrace the idea of frictionless security. The main concept is to leverage big data to determine the unique identity of an individual based on his or her behavior. Over time, our use of devices and network resources will form a pattern; no two people should have the same behavioral patterns. One company that’s developed this approach is ThreatMetrix.

Their two-factor authentication solution consists of a unique device ID and the big data pattern associated with it. The solution is intriguing – if my behavior can be proven to uniquely identify me (what ThreatMetrix calls a Persona ID), then my access and interaction with network resources could be frictionless.

Relating back to my previous blogs on continuous monitoring and the IoT, this frictionless security will become even more important in the near future. Today, you log into work accounts (network, financial, remote access, personnel, maybe more) and home accounts (WiFi, shopping, travel, financial, social networks, definitely more) with at least userid/password, and possibly something more secure (two-factor, multi-factor). Imagine having to do the same for your refrigerator, thermostat, home security system, and automobile. As more computing devices and sensors become integrated in our daily lives, security becomes even more critical in protecting our privacy and safety. We have to develop security methods that are easy to use, yet provide sufficient protections to keep us safe. The equation needs to be Modern Security = Frictionless.

This post first appeared on George Romas’ HP Blog


Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

CloudEXPO Stories
The precious oil is extracted from the seeds of prickly pear cactus plant. After taking out the seeds from the fruits, they are adequately dried and then cold pressed to obtain the oil. Indeed, the prickly seed oil is quite expensive. Well, that is understandable when you consider the fact that the seeds are really tiny and each seed contain only about 5% of oil in it at most, plus the seeds are usually handpicked from the fruits. This means it will take tons of these seeds to produce just one bottle of the oil for commercial purpose. But from its medical properties to its culinary importance, skin lightening, moisturizing, and protection abilities, down to its extraordinary hair care properties, prickly seed oil has got lots of excellent rewards for anyone who pays the price.
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected path for IoT innovators to scale globally, and the smartest path to cross-device synergy in an instrumented, connected world.
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
ScaleMP is presenting at CloudEXPO 2019, held June 24-26 in Santa Clara, and we’d love to see you there. At the conference, we’ll demonstrate how ScaleMP is solving one of the most vexing challenges for cloud — memory cost and limit of scale — and how our innovative vSMP MemoryONE solution provides affordable larger server memory for the private and public cloud. Please visit us at Booth No. 519 to connect with our experts and learn more about vSMP MemoryONE and how it is already serving some of the world’s largest data centers. Click here to schedule a meeting with our experts and executives.
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understanding as the environment changes.