Does Anyone Have Secure Access Figured Out?

Nothing gets headlines like a data breach and nothing protects against breaches like multi-level authentication.

The challenge is balancing security with convenience and cost. It’s not that it’s impossible to keep all your data locked up and secure. It is. It’s that making it secure and accessible is so difficult.

“Why is identity such a complex problem?” asks Nico Popp, Symantec’s Vice President, Information and Identity Protection told a gathering at the Symantec Government Symposium recently. “Fundamentally, it’s difficult because you have to think of identity (authentication) in three dimensions.” Those include security, cost, and user experience.

What works in one circumstance won’t work in another. People have different expectations for security based on the kinds of information potentially at risk.

Paul Hunter, Deputy Chief, Biometrics Division, U.S. Department of Homeland Security’s Citizenship and Immigration Services, collects fingerprints from people applying for citizenship. Future citizens are willing to give up that personal biometric data because of the payoff at the end of the road. But would users of e-commerce sites be willing to go so far?

Pointing to an iPhone, with its built-in finger-print sensor, Hunter suggested that if it were convenient enough, consumers might indeed be willing.

Financial firms, meanwhile, depend on knowledge-based authentication — confirming someone’s identity and granting access by asking questions that only they can answer because they are specific to them, like who was your favorite teacher? That works well for the financial services industry, said Steve Lazerowich, Director, Cybersecurity Solutions, U.S. Public Sector, Hewlett Packard. But when there’s a breach, companies risk the exposure of the personal data of a substantial number of users, and collecting that personal data could arm hackers with the information to commit more fraud.

“What do you do at that point for that individual who’s had their personal information…compromised?” Lazerowich asked.

Deb Gallagher, Defense Manpower Data Center Special Advisor, Department of Defense, said convenience was set aside when the Pentagon adopted the Common Access Card for network access 10 years ago. But it was worth the sacrifice: The Defense Department immediately saw a 46 percent reduction in successful intrusions.

“It’s not cheap, and sometimes it’s not easy to use,” Gallagher said. But it works.

The New, New Thing?
Facial recognition and retinal scans remain potential opportunities in the future. HP’s Lazerowich said he knows of one firm that’s trying to use the cameras embedded in laptops and desktop monitors to scan users’ faces when they log in, and to identify if anyone is looking over their shoulder.

If the camera detects another person in the field of view, it terminates the session to prevent the second person from stealing log-in information.

How Much Authentication is Enough?
What does the future hold? Mike Garcia, Deputy Director, National Strategy for Trusted Identities in Cyberspace at the National Institute for Standards and Technology (NIST), suggests that standards need to be flexible.

“One of the things we need to avoid is tricking ourselves into believing we always need strong authentication,” Garcia said. “It’s about figuring out when the strength profile matches the strength of authentication.”

Convenience over Security
No matter what agencies or organizations do to improve security, they can’t always anticipate how their employees or users will respond.

Google tried to give away strong authentication to Gmail users to improve security, Popp said.

“It failed miserably because consumers will never trade convenience for security,” he said. “The extra step of adding a one-time password” was too high a hurdle. “People don’t want to do it.”

At NIST, Garcia is trying to help develop standards that help answer that problem, and help agencies and private industry see that the more information they collect to ease authentication, the more risk they ultimately take on should they someday suffer a breach.

What steps does your agency take? Are they effective? Let us know what works and what doesn’t.

Listen to the full discussion on secure information access, read the complete Internet Security Threat Report, or see a list of all session podcasts.

Feel like sharing something Noteworthy? Post a comment below or email me at bglanz@300brand.com.

Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.