Cybersecurity: Taller walls, deeper moats but the front gate is unguarded
27 July, 2015
category: Corporate, Digital ID, Financial, Government, Smart Cards
Identity Pearl Harbor
Numbers from the last 12-months are staggering. The Anthem Health Insurance data breach has impacted 80 million customers, and reports have it linked to corrupt credentials of privileged IT users. But that’s a drop in the bucket compared to the Russian hackers’ theft of 1.2 billion usernames and passwords across 420,000 sites.
These are just two of the more high-profile breaches. Some would think that they would be enough to push organizations to start doing more with identity. The thought has been that a single event might finally push the collective “us” over the edge and into battle – a metaphoric identity Pearl Harbor.
Sergio Galindo, general manager at network security developer GFI Software, wishes that were the case. His family’s data – including that of his children – was stolen in the Anthem breach.
Anthem has offered a year of identity theft protection, but he wants it for the rest of his children’s lives. “Their digital life is at risk forever,” he says.
Since the breach involved Social Security numbers, he fears his children will be battling fraudsters forever. “The Social Security number lasts forever and that’s how people will be impacted,” he explains.
Others aren’t as sure there will be one event that is the impetus for change. “Will it be death by 1,000 cuts?” asks Nigriny. “Or will it be some financial institution that loses a tremendous amount of money that makes everyone finally feel vulnerable?”
Consumers are already paying for these breaches, they just don’t know it yet, says Daniel Turissini, CTO at SolPass. In medical fraud alone hundreds of billions of dollars are wasted. “It’s a ridiculous amount of money and some of it can be mitigated,” he adds. “Too many people think it’s an unsolvable problem and it’s not.”
Turissini fears that the data breaches over the past two years are harvesting data. “The actors are harvesting this information and piecing it together to attack something else,” he explains. “People are at the point where they think it’s inevitable.”
Analysis: Identity is hard
IT personnel trying to convince executives that they need a new firewall or intrusion detection system have an easy sell. Both are simple to explain products, one keeps the bad guys out while the other informs if the bad guys get in.
Identity and access management isn’t the same, some would call is squishy. Is it what enterprises use to enable employees to access systems and applications? Yes. Can is be used by partners to easily place orders or share information? That’s possible. Do customers use it to access information, buy things and keep track of data? That can fit the bill as well. Can one system address all three purposes? If you want it to, yes.
And while explaining what an identity and access management system can do is difficult, that is nothing compared to the actual deployment.
“Identity is a complex problem, even for smart people,” says Mary Ruddy, research director at Gartner.
Taking all employee, partner and customer information, making sure it’s properly loaded along with the proper attributes and permissions is a daunting task. And how does an enterprise justify the expense and time? What’s the benefit?
There are not that many people who know how to answer these questions and solve the problem. “There’s a big hole in cybersecurity and there aren’t too many people out there who now how to fill it,” says CertiPath’s Nirgriny. But just because it is challenging, doesn’t mean it can be ignored.
Even if an individual changes passwords every couple of months but ends up using the same one two years later they are at risk, says Pamela Dingle, senior technical architect at Ping Identity. “People are being systematically logged and tracked and nothing that they have done in the past has evaporated,” she explains. “I don’t understand why people aren’t running to multi-factor authentication vendors to put another obstacle in the way.”
Still, Dingle says the great identity breach is not inevitable. “There won’t be an identity Pearl Harbor, but we need a Winston Churchill to realize we’re under a protracted siege and make some changes,” she says.
There won’t be an identity Pearl Harbor, but we need a Winston Churchill to realize we’re under a protracted siege and make some changes.
Catalysts for change
Part of the problem is that digital identity is daunting. In the corporate world, enterprises can force employees to comply with whatever authentication processes it deems necessary, says Jamie Cowper, senior director of business development and marketing and Nok Nok Labs. “In the consumer world the identity problem is a bit more complicated,” he says. “You can’t force customers to use them or they’ll go somewhere else where it’s easier to make a transaction.”
There are also issues with semantics. Some in the IT world don’t put identity under the cybersecurity umbrella, says Mary Ruddy, research director at the Gartner Group. “When people think cybersecurity they don’t think about identity,” she says. “But having strong authentication is a key piece of what needs to be done.”