Cyber security conferences usually have many predictable sessions, along the lines of ‘Here’s how this foolish company let itself be hacked ….’
However, one speaker at this month’s annual SecTor conference in Toronto beamed a ray of optimism.
“I genuinely think that in 10 years we will not see the level of attacks we see today,” predicted Sarah Squire, a senior technical architect with Ping Identity, who is also on board of the OpenID Foundation and a co-founder of IDPro, an association for identity professionals.
By working hard to reduce the number of software and authentication/login vulnerabilities, she said. attack vectors will be reduced.
“Our job as security professionals is to reduce the supply of vulnerabilities on the Internet. When we do that it increases the cost to the attacker and they have to be more sophisticated.
In an interview, she expanded. “Most attackers are trying to get something to monetize. Usually the easiest thing is to attack the authentication/login system.” As a result, more organizations are outsourcing authentication to providers with the expertise to protect accounts.
Brute force attacks are still very effective, she added, largely because organizations have poor authentication mechanisms. That’s because infosec pros are spending most of their money on strengthening firewalls and encryption, which, she believes, aren’t the weakest link in their security chain. Those weak spots are authentication and application program interfaces (APIs).
There are four trends in identity management that infosec pros need to think about which will help beef up security, she told the conference:
–Zero Login: Allows people to do things on a site without logging in, usually because the transaction is low-risk (for example, a movie ticket) and you know who the customer is by context (this person is using the same device, IP address and credit card as previous transactions).
Systems that support zero login build risk scores from various factors to decide who needs to log in, and who doesn’t. The advantage is it takes the friction out of authentication for customers. Amazon is trying it, but, Squire says, it’s a new technology that still needs to be tweaked;
–Zero Trust Networks: Trust no one on the network. It’s the opposite of zero login. Used in enterprise networks where firewalls aren’t enough. All users, applications and devices have to be authenticated;
–One Identity Initiatives: These create a single authentication management system so employees can log in once and have access to everything with a secure token. Advantages include eliminating multiple logins to get at different databases/applications, and when an employee leaves all access can be quickly revoked;
–Open Everything: Based on the idea that people should be allowed to share data across applications, including competing organizations. In the U.K., for example, major banks now have to allow customers to aggregate their financial data across several institutions so they can have a unified look at their finances. The idea would allow patients to easily send data from one doctor to another.
Usually this is done through open APIs. A fine idea as long as the APIs are secure.
There’s already one example of this in Canada: Canada Revenue allows taxpayers to log into its site with their bank’s credentials.
These four trends are the most common ones Squire sees CTOs putting to boards or into strategic plans for consideration in long-term planning.
What should CISOs do to prepare for them? Get ready for a world of open APIs, says Squire, or for a self-service identity platform that will spit out a few lines of code for endpoints. Remember, though, for either to work your infrastructure will need to run on 99.9 per cent uptime. Also, start working on a One Identity Initiative.
Meanwhile, initiate a smart password policy (allow long passphrases) and get rid of secret questions for password resets. Squire is also a big fan of hardware-based two-factor authentication solutions like YubiKeys. (Small enough that she wears one as an earring).
She also encouraged those involved in identity management to join IDPro, which aims to build a body of knowledge and, hopefully, a certification program.