Identity and access management professionals have to fight the rising tide of cynicism against social media in the wake of privacy abuses, says a senior Microsoft official.
There is a lot of “anger, hatred and rejection for some of privacy practices in social media,” Pamela Dingle, Microsoft’s director of identity standards told the annual Identity North conference in Toronto on Tuesday.
Things are so bad there are “#deleteFacebook” and “#deleteallofthem” hashtag going around the Internet, she noted.
These arose after a company called Cambridge Analytica allegedly used personal data collected from a survey of Facebook users run a university professor, who didn’t tell participants the data would be used to target political ads. Facebook CEO Mark Zukerberg later apologized for mistakes.
But Dingle told the audience of largely IT pros “you can’t walk away from the types services that public sector wants and needs to provides citizens, to employees to people who are fundamental to the operation of a country
“Unfortunately we as professionals have no choice but to set aside the sense of all or nothing” — meaning the feeling of some people that digital services are only going be breached, or will abuse customer trust.
“We are the people who have to make it better, we can’t walk away. That’s a big responsibility for us to have right now … We may get it wrong… but people have to vote, have to send mail.
“They don’t have to trust us, and many will never trust us. But it doesn’t matter. We are stewards of their data regardless.”
Consumer rage, she suggested, is unlikely to make most people suddenly aware of privacy issues and willing to read the fine print of user consent statements. “There will always be some people who will do the most predictable thing,” she said.
Have a complex password policy requiring users to pick a capital letter, a number and a special character? Then they will merely add that to their favourite – and often re-used — password. So dragon becomes Drag0n1.
“People become more predictable the more guidelines you shove at them,” Dingle said.
Eliminating passwords isn’t the answer, she said. That’s why one of the big trends in identity and access management is eliminating unsanctioned impersonation through multi-factor authentication, federation token ecosystem and single sign on, advanced abuse detection, password managers, privileged identity management and the like.
The other big trend by attackers is to trick users into giving them access to their applications, usually through an email attack that includes a request for access or to fill out a new (and fake) login form.
Users have to be trained that ”consent is not just one question,” Dingle said, “but an entire big picture you’re going to paint for your users, starting with their preferences and going to who can see your email, who can operate the camera, the apps you connect to, the third parties that get shared on your behalf … All need to be rationalized into something everyone can manipulate.
“We are not there yet,” she added.
In the meantime, she said, identity and access management pros should watch for passive warning signs credentials might be open for abuse – for example, if a large number of employees deny access to an application they receive, but a few say yes — that likely means those few are probably compromised.
“The number one thing you can do is get MFA (multifactor authentication),” she said, particularly for administrators. “That is the first step towards critical security practice.”
The second is preparing for end-to-end proof of possession, which Dingle said “is the new front for eliminating unsanctioned impersonation.” It’s a combination of security technologies that make sure an identity token can only be played where it is intended.