Roundtable: Identity and access management
Thursday's round table: an in-depth discussion on identity and access management
The SC magazine round table discussion kicked off Thursday to discuss the contentious issues of identity and access management in the industry.
The keynote speaker was Professor Rick Chandler, a board member of The European Association for E-identity and Security for 15 years. Rick was also on the private sector steering group of the UK ID Card programme.
“It all comes back to identity: proving who you are,” said Chandler, as he opened the round table. First on the agenda was the ever-present question of the balance between security and privacy. He held up his Estonian identity card, which identifies Chandler as an e-resident of Estonia, the first country in the world to offer a transnational digital identity.
While previous privacy concerns in IT security have been slanted “to protect the business and business information”, privacy concerns are increasingly being directed towards private individual data.
It's a line that's hard to walk, the one between usability, security and privacy – one that might get harder and harder to walk if things keep going the way they are. Increasingly, businesses depend on personal information offered by customers, Chandler reminds us: “We're going on to a shared business environment, where we share information in order to make the community better.” With the growth of wearables, sensors and the Internet of Things – voice-activated TVs for instance – this trend might be hard to mitigate.
Still, individual privacy is an important question for the future of IT security and fraud defence: Identity theft accounted for 114,000 frauds last year and 41 percent of all frauds recorded (source: Fraudscape: UK fraud trends 2015, Cifas). In 2015, IT and security professionals will have to start thinking about new ways to secure personal information beyond the long-held tradition of passwords.
The Communications Electronic Security Group (CESG), the international arm of GCHQ, Britain's signal intelligence agency, admitted earlier this month that many of the precautions taken around passwords cause more trouble for the user than they do the potential attacker.
Paul Appleton, head of information security at G4S, expressing a personal opinion, picked up on this: “CESG have said that passwords have had their day.”
Appleton went on to remind us that even password managers, previously thought more secure, didn't provide a perfect solution. "Given that they have been compromised twice, you have to take a risk-based view,” he said, adding, they are “probably good enough for your normal account, but for a privileged user account, I would suggest it's not good enough.”
Nick Ioannou, blogger, head of IT at Ratcliffe Groves Partnership and the author of Internet Security Fundamentals, picked up on the CESG advice, encouraging people to use passphrases rather than passwords. “I encourage people to use the word passphrase, to get that mindset,” he said.
Ioannou has been working on 2FA, or two-factor authentication, an identification procedure which involves multiple steps of security, that can be cumbersome but often effective. What should those factors be though?
Chandler mentioned the growth of biometric data in identifying users, specifically the more recent use of enzymes. Whether this could actually be put into action is another question, considering the potentially prohibitive costs of biometric readers. Brian Short, chairman of the Charity Security Forum, which represents security professionals in charities, said that many of the smaller charities would not be able to afford - or need - such identification of people, many of whom may be supporters and not members or staff.
The group mentioned that mobiles might provide the means for making use of biometric data, not just enzymes but personal attributes such as facial recognition through ‘selfies' and photos that might be stored on the users' phone. However, Ioannou warned that the problem with mobile as a second factor is that “it breaks, it crashes, its runs out of battery – it's not a super reliable appliance.”
“Have Siri and Cortana got a point?” Chandler challenged the round table. Both Siri and Cortana identify users by building profiles of their activity: what time they log in, how users type on the keyboard and what kind of data they use. Could identification by people's recorded habits be a way of identifying users in the future using big data contextual analysis?
But do we even want an irrevocable 'DNA' type identity? The group discussed how full identification might not even be specifically what we want, if we also want to maintain personal privacy. What we really want, the group agreed, is a private key, a secure way of confirming our identities without giving away too much information.
Perhaps, the onus of secure identification might not even be completely on IT professionals to ensure individual privacy – it's important for end users to be part of the process. An Enterprise Strategy Group survey last year showed that 57 percent of enterprise security professional's blamed “a lack of user knowledge about cyber-security risks” on malware attacks. Ioannou echoed the findings, saying “user education is always the cheapest, the easiest and will get the most results”.
Depending on your point of view, even the questions you ask may differ. Older people might be innately suspicious of offering information, while younger people who grew up with the fact of exchanging personal data for a better user experience might welcome it.
Appleton offered some insight: “I suspect that when my children are my age, they won't care.” Confronted with a potential privacy breach, they'll say, “I'm happy to put all my information on Facebook.”