By George Romas
Why does security have to be so onerous? Is this password secure enough: Mxyzptlk? Wait, that might be vulnerable to a comic book dictionary attack (bonus points for Superman fans), so let’s add some numbers and special characters: M4xyZ!ptL#K. Not bad, but suppose policy requires 12 or more characters; we have to pad the password: 0M4xyZ!9ptL#K. Now that’s secure – good luck remembering it!
We’ve migrated to a userid-password society; as we’ve added layers of security, we password-protect each layer: PC (and now device), network, enclave, application, database, and storage (encryption). Don’t use the same password for everything, because if the bad guys crack one, they own you. We’re not done yet, though – badges for physical access, PKI, USB keys, SmartCards, soft certs, biometrics, Network Access Control, firewalls, IPS/IDS, SIEM … I could go on and on. As you try to simplify the user experience and reduce friction, the cost for security goes up. Userids and passwords are almost free. It’s much easier to use biometrics or a SmartCard to identify yourself to a system or application. However, those solutions require fingerprint readers, better encryption, key management programs, and card provisioning systems, which also translates to more people needed to manage the security infrastructure. A telling example is the Department of Defense and its approach to mobile security. After investing in deployment of secure physical and cyber access via the Common Access Card (CAC), it made sense to leverage that investment in the mobile realm. However, to use CAC with an Apple iPhone, you need to buy a sled – an iPhone case with integrated card reader. The solution works well, however the sled costs more than the iPhone!
Instituting secure computing behavior can be ingrained, but it has to be built into both policies and culture. Working in secure government spaces for over 30 years, I lock my computer screen at home whenever I step away, have a strong password on my WiFi network, encrypt sensitive personal data, and have mirrored hard drives in my Network Attached Storage (NAS) device. However, that behavior is somewhat “old school” and the product of a very focused environment. Today’s computing culture is characterized by instant-on, always on, and always connected. Anything that slows you down, like having to enter a PIN to unlock your phone, is friction.
Can we overcome the friction of security? There are some attempts to improve usability, with an accompanying decrease in the strength of secure solutions. Referring back to the CAC, and SmartCards in general, the National Institute of Standards and Technology (NIST) has published a draft of Special Publication (SP) 800-157, “Guidelines for Derived Personal Identity Verification (PIV) Credentials.”
Instead of dealing with the additional cost and usability issues of a sled, you can derive a credential from the original cert that resides on your CAC or PIV card. That derived credential is transferred to a mobile device’s internal storage or microSD card, and can be used to authenticate an individual to an organization’s resources. The derived credential isn’t as strong as the original because it’s cryptographically removed from the cert that was vetted and checked through a strict, formal process. However, the derived credential has less friction.
I’ll use another mobility example here, just because computing is becoming more and more portable as devices incorporate improved and additional capabilities. The primary method for protecting your device against tampering today is password or PIN. No one likes having to enter that PIN – it takes an extra 2-3 seconds of focused attention. Definitely not instant access! Plus it’s another password to remember (if you happen to have separate passwords to access accounts of different sensitivity)! So Apple came up with Touch ID on their iPhone 5s. Once you register a fingerprint, it’s a simple touch to the main button to unlock your device. Less friction equals better user experience while providing a better level of security.
There are other innovative solutions coming to market that embrace the idea of frictionless security. The main concept is to leverage big data to determine the unique identity of an individual based on his or her behavior. Over time, our use of devices and network resources will form a pattern; no two people should have the same behavioral patterns. One company that’s developed this approach is ThreatMetrix.
Their two-factor authentication solution consists of a unique device ID and the big data pattern associated with it. The solution is intriguing – if my behavior can be proven to uniquely identify me (what ThreatMetrix calls a Persona ID), then my access and interaction with network resources could be frictionless.
Relating back to my previous blogs on continuous monitoring and the IoT, this frictionless security will become even more important in the near future. Today, you log into work accounts (network, financial, remote access, personnel, maybe more) and home accounts (WiFi, shopping, travel, financial, social networks, definitely more) with at least userid/password, and possibly something more secure (two-factor, multi-factor). Imagine having to do the same for your refrigerator, thermostat, home security system, and automobile. As more computing devices and sensors become integrated in our daily lives, security becomes even more critical in protecting our privacy and safety. We have to develop security methods that are easy to use, yet provide sufficient protections to keep us safe. The equation needs to be Modern Security = Frictionless.
This post first appeared on George Romas’ HP Blog