This is a guest post by Adrian Asher, CISO at London Stock Exchange.
We are not secure
We are not secure. Of course by “we” I mean society at large. Passwords are based on antiquated technology that has long since passed its usefulness. As an example, why do we use pin numbers at ATMs? With our smartphones, we each carry around vastly complex portable computing devices, certainly more powerful than the ATM itself, yet they are not used to help authenticate us.
Yet even with this computing power in our pockets we have to type a four digit pin number (which may have been shoulder surfed at the last shop we spent money in) into an ATM keypad. Why are we not using innovations like biometrics which could be embedded into the ATM itself. The technology exists for these types of developments, but so far the economics have stopped them from going mainstream.
Of course, these arguments will be irrelevant if we continue to move rapidly towards digital currency and ATMs become obsolete, but it’s nevertheless an example of poor security that puts people at risk. And the point is that while stronger authentication methods certainly exist, whether applied to an ATM or an internal application within an enterprise.
A modern security approach
When we design for new applications or solutions I would hope that we take a step back and look at how we can integrate some of these modern solutions into our architecture. But what about everything else?
This is where contextual identity is so important. Whilst there is only one me, and I use me in different contexts – when I’m at home, when I’m at work, on holiday, travelling, etc – if the authentication method can’t be trusted to PROVE that it’s me, then clearly we have to look further into the request.
There have long been solutions to provide extra context to a request, the most obvious example being the IP address you are connecting from. If that IP address is located in a country that was expected (I’m in the UK so most of my access to my bank would be from the UK) then that can been taken into account when deciding whether or not to permit my logon to internet banking.
That is only the first step, and I worry that many systems are stopping there. So if we are stuck with passwords (for as short a time as is humanly possible I hope), let us at least start implementing the other controls that are needed.
In traditional architectures there was reliance placed upon the perimeter. A firewall of some description would limit access to only the applications that should be accessible. Then along came application firewalls to inspect within allowed traffic, based on the assumption that the application couldn’t protect itself.
As we continue to evolve into a truly defence in depth approach I have begun to think about these key tenets when designing (or re-architecting) new systems.
Adrian’s Identity Tenets:
1) Authentication – Password, client certificate, biometric etc. Anything but text message would be allowed. Yes two factor, but my goal would be something I am, and something I have. Nothing that I know.
2) Contextual – what device, where from, previous interactions with that device or location.
3) Behavioral – what are they trying to do and would that be deemed normal behaviour
As we evolve to platform as a service based architectures, and hopefully beyond that to event driven (where your code is only instantiated in response to an event), we must look to the application to better protect itself. Therefore key principles for architecting secure systems should be developed and documented within your organisation. Consider how the tenets I describe could be used in your security architecture designs.
There are great tools for doing all of the above and most of what I have described wouldn’t even be visible to the user. In my next blog I will put this into the context of privileged users and privileged access.
Adrian has been working in Information Security for 16 years of his 21 years working in technology. He classes himself as a technologist that specialises in Security. Working now as London Stock Exchange Group CISO having just been HSBC’s CISO where he was in charge of all IT security globally for two years. He has worked in many industries and companies, bringing his unique brand of security that puts the business first.
Prior to HSBC Adrian was Executive in Residence at Accel Partners (London) helping and advising startups. CISO at Skype for 5 years where web scale and big-data was one of the most challenging environments to apply security to. Betfair, Man Group, Barclays Capital, BAA, BA, are just some of the other companies he has worked for across high tech and financial sectors. He holds a Masters in Information Security from the University of London.