IT security: could you be the key?

Traditional strong authentication methods are useful to business, but must start thinking about how we can extend this to users

An area that I am particularly interested in these days is the extended enterprise, writes Peter Cummings. This is the concept of companies starting to offer more services to users outside the company, be they consumers or other businesses. At the same time as a business starts to offer these services, we can start to utilise some of the business enabling features of identity and access management.

But as we continue to offer more services, we have already seen – and will continue to see more – fraudulent transactions and mismanagement of identity related data. This is due to the vast array of username password combinations we need to remember, poor user awareness and a lack of proper governance processes.

Now while there most certainly are people who use an array of tools to ensure their passwords are long and strong, most still use the same credential set, if possible, everywhere in the internet.

Peter Boyle of BT said at the last European Identity Conference in Munich: “If your customers don’t feel secure they will leave you." With that in mind, I was surprised to see in an article, a few months back, Twitter urging media companies to ensure their passwords were strong enough, following the account hijacking that led to a stock markets reaction. I was surprised because I believe that, when you offer services to your clients and their details are stolen or abused, your business will take the blame – regardless of where the fault lies – and the customers will leave. Now Twitter I think is large enough and unique so it is probably not about to close. But for smaller businesses, this could be critical – the responsibility to secure services lies with the service provider.

For public trust in public and government services this could be critical. Andrew Miller, chair of the Commons science and technology select committee, recently said: “Public trust is absolutely essential. The government must ensure the integrity and security of data and give people sufficient control over their stored personal information.” He is hitting the nail right on the head and this goes for any business as well as the government.

The UK is losing massive amounts of money every year by not having the national ID card which, as I understand it, was killed off partly due to a lack of public trust in the government. This lack of public trust also extends to businesses; I do believe that, in the aftermath of the revelations by Edward Snowden about the US Prism internet surveillance programme, many of us will at the very least re-evaluate our trust of certain internet services.

The concept of a national identity as implemented in many European countries will probably never see the light of day in the UK, so we need to think of an alternative solution that will work equally well, if not better. We need to find a way to offer secure services, in a way that also increases trust from our clients. Many cloud service providers and other businesses have already adopted various social log-in options. While it has become “cool” use social logins, we need to ask ourselves if Facebook, Twitter and other identity providers are good enough, especially when we start considering more sensitive transactions. Traditional strong authentication methods can be very useful in a business, but we need to start to think about how we can extend this to users on the go, on a smartphone.

For an organisation preparing to embark on the journey to become an agile connected business, there are three main challenges that need to be considered.

  1. The first is flexibility; you need to support various types of authentication from low level to really secure. You should also plan to support a number of different identity providers. The number of authentication types and identity providers depends on your consumers and the types of services you are offering. So when you build your architecture, do not rely on only one thing – stay flexible and allow support for several authentication types.
  2. The second thing, (and this is where its gets really important), is that you need to decide what information is needed and when, and support the ability to step-up authentication strength for a user to get to that information. The critical point to remember here is that, when we want to convert a user to a higher authentication, it should be because one of two things. First, we require more information about the user, this information could be sensitive. And second, we want to ensure non-repudiation of the transaction being performed.
  3. The third thing is trust; we need to secure our services and increase user trust, it is in fact our identity we want to protect. Think of electronic patient journals – most of us would not like those records to be public domain, but what if our journals did not have any data in them to say that the records is actually talking about us specifically – would we then mind it being public domain? I say no. If that is indeed the case, then all medical records could be freely used to perform data mining, statistical analysis and much more with no harm to the individual.

The observant reader is right about now asking: “Well what good is a patient journal if we do not know who the patient is?” and this is a great question. Our mobile phone provider, our bank, our gas supplier they and many more have identity information about us, why? Because we let them have it – and we could extend that process to all kinds of information, and at the same time you can decide exactly who has access to your patient journal, tax records and online shopping account by simply using, for example, a Pin code on your mobile phone, just as you would use your Pin code at a cashpoint.

What we need to start thinking of is “bring your own identity” – allowing the user to control who has access to their data and, more importantly, revoking that access when it is no longer needed.

Identity and access management is no longer something we do in big corporations; we need to extend this to users. I believe that, in the internet of things, we should consider another PKI – personal key infrastructure – and let the user be the key holder to their own information.

Peter Cummings is an analyst and managing partner at KuppingerCole UK

Read more on Privacy and data protection