I am happy to report that I was recruited into writing a new blog on our RSA website-- some of the subject matters that I get excited about are more synergistic with the content here. I trust this will be a good introduction for you to all my august colleagues, and that you shall gain from the wealth of diverse security viewpoints as well.
One such topic that has been brewing for some time is that of identity fraud. This type rears its ugly head in all sorts of ways, and sometimes as it did here, does so in big, mean ways. As I read of the Gov. Palin email debacle, several thoughts occurred to me on the hows and whys, and if it wasn't time for us all to move the security benchmark to a higher standard.
Enjoy the blog on Gov. Palin, Yahoo! Email and Security—A Call To Action? . And do write in with your thoughts, comments.
Or, read on here...
Gov. Palin, Yahoo! Email and Security—A Call To Action?
What’s going on?
The McCain-Palin campaign has offered a rather muted response to the Yahoo! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email.
“Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally? It may well be, since using basic authentication to re-generate a password might use the simplest [and weakest] of challenge questions.
But it needn’t be that way. And we know so because these days our corporate email systems use a myriad of authentication methods. In fact, if I even want to access my corporate email on my iPhone, the system insists on my entering my passcode. This is then matched along with the security access codes I set up on my iPhone to get me a secure connection into my office network. That’s good security, even more essential for business applications.
So why aren’t we more secure?
An interesting question, given that there are at least a dozen different layered authentication methodologies that are well-proven for various applications [one-time passwords provided through various hardware and software authenticators, knowledge- and risk-based authentication, challenge/response questions, device profiling, adaptive authentication for the phone, and so on] and some are apropos for email and messaging too.
The dilemma here is that it is necessary for a service provider to build simple, usable security solutions for the multitudes of subscribers who use free email services worldwide. Remember the grandparents who want to see the baby photos? Know the computer jocks and students who expect the service providers’ technology to protect their emails and not be bothered by extensive authentication requirements? Ergo, the most basic and weak challenge/response approach for Gov. Palin’s email password reset, selected from a limited and easily-found range of identification questions—decidedly easy to use, but quite hackable.
Yet, consumers are adopting security quite rapidly
When anti-spam filters became a standard part of browsers, consumers were asked what levels of security they wanted. Higher levels meant occasional permissions had to be granted for various sites or information to be accessed and displayed. Better technology reduced these interruptions, but largely, consumers adapted to these security features. So did the uninitiated who learned how to use ATMs, and the impatient who acquiesced to entering zip codes at gas stations when using credit cards.
The time is right for some security advancements
I think the time is right for a series of options that need to be considered by email service providers, security technology providers and consumers.
For the Service Providers: Can the choice of enforcing the level of one’s own privacy be given back to the user? And if so, up to what extent? I think the time is right to do so extensively, and the providers might actually gain from the added security credibility.
For the technology providers: The call of the day is to offer effective strong authentication solutions such as those based on user behavior patterns that are transparent to the end users as much as possible. Many of the previously-mentioned technologies are well-proven and even commoditized for broader adoption.
For the consumers: Legally, you own your own email content [but not the services that host it], so it’s up to you to demand how you protect your own email content. Perhaps you need to either use the most secure email services for your most sensitive data, or to be very disciplined in password management with changing your passwords frequently and even using incorrect answers for your challenge questions!
And, if you are a celebrity, or think you are, demand and use higher security!
What a refreshing conversation it was—a senior Global 100 bank’s IT executive was gushing on how he was in the money. No, really! And even better, amidst today’s financial fiascos, he had selected to tell me about how he was financially ahead by deploying some state-of-art security solutions.
Unheard of, you might say. But could it be that we are looking at the early reports on the benefits of Security done right?
Correlating Assurance, Efficiencies and Financial Gains
Big Banker was saying that deploying well crafted security, particularly one that was built into the IT products, had offered him greater assurance, exposing his data to lessened risks. Embedded encryption on his tapes had saved him $20M in potential compliance remediation were the tapes to be lost. Big peace of mind, with money and energy now expended in tackling other core data exposures.
Big Banker had just yanked out some security gateways across his global operations because we at EMC had now built in access control into our products [free!]. With his more secure products and their higher assurance, not only was he reducing the redundant layers of security, but was now able to consolidate his audits to meet compliance and governance requirements. Wow!
As he centralized services [password management, single sign-on, key management, log management], he was churning up huge savings, yet increasing assurance levels and making more budgets available for risk management for new business initiatives.
Ka-ching!
Making Security A Strategic Conversation
Yet, one of the key realizations for me from my banker friend was that he was talking of security as an integral part of his corporation’s data protection strategy. He inter-changed the references to security and data protection so freely, that I actually stopped him to confirm if he actually meant it to be so. And sure enough, he was.
To me, this is a significant step forward in any organization’s security maturity curve for two reasons:
First, it shows that an organization has moved on from security point products being deployed to plug ad hoc gaps.
Second, I see this as the next step towards thinking of security as an integral part of an information management strategy— the necessary organizational structure for security to be done right.
Big Banker continued with how he has an emerging opportunity for Security to be considered in the context of emerging cloud computing models, and a part of the Information Architecture Council deliberations— All are small examples of the right-positioning of Security. All will lead to reaping the most benefits from leveraging Security investments.
Remember SOX?
Reminds me of the early days of Sarbanes Oxley where small corporations had to invest $600,000 to deploy SOX, and larger corporations were magnitudes higher. Experts suspected benefits, and surely enough, reports abound today on how SOX has been saving organizations operating and investment costs through standardized IT processes and consolidated infrastructures and applications. But it took 3-5 years for formal ROI reports on SOX benefits to come to light.
I think my banker friend was re-affirming what we had always suspected—there’s money to be saved in security done right, if only we kept our eyes open to count it…
As I travel the world and talk to various security folks in diverse organizations, I have begun to hear increasing references to the benefits of Security done right. In today’s economic climate, there is equally the need for Security deployments to be correlated with bona fide Return on Security Investments.
Can you actually count your money saved in Security? If you can, and particularly if you can do so convincingly, then your executives too will actively support you in your quest for Sustainable Security….
As Google beta releases its new web browser, Chrome, a lot is being said about its security lapses that are quickly coming to light. I don’t believe it really matters if the lapses are big or small, correctable or not, or just marketing faux pas versus mere engineering slips. I am more concerned with the genesis of Google’s security challenges, and if these traits can be inherently set right in short order.
I can’t say I can gauge the maturity of Google’s security programs. But I suspect that such elements of its program as security policy, deep training, consistent process and security technology already exist and can and will be raised to the necessary and highest levels.
Yet, I think there is something more… Could it be that Chrome’s security lapses might well be ingrained in Google’s DNA itself?
After having ruled the search domain and annexing advertizing, Google is on its next new quest. No, not web browsers, but in reality a platform that is an online operating system. And not just a platform for JavaScript support, but a doorway for hosting on-line applications.
They are quick to learn from Firefox the efficacy of open source to foster web browser innovation, and from Microsoft, the potential to control your search engine’s destiny through browsers. So high is the engineering and market dominance confidence of this organization, that with their modular development teams, they have stretched out their portfolio from email, office and other solutions to browsers in a fairly short duration.
It is this fact that makes me particularly nervous when it comes to security—the more the silos of development groups and products, and the broader this portfolio expanse, the more gaps and lapses in security. The harder it is to enforce a consistent and comprehensive development and deployment of secure products. Microsoft knows firsthand, and it has taken several years for them to develop their security program to a level of maturity that today offers significantly more assurance to us consumers.
The yearning to dominate often foreshadows the discipline needed for security.
Google assiduously represented its entire search functionality in seven words for the longest of times on its search page. The mantra was simplicity in form and function, and they delivered pristinely with their unmatched search content.
This DNA, the zen for simplicity, is again evident in Chrome with merely two menus and few toolbar icons. It is elegant in its maximal content space, absent tool bars, consolidated address and search bars, clever navigational suggestions, thought-flow layouts with tab management capabilities and so on. Chrome seems to suggest, why do you need a progress bar when Chrome is so fast? Or, why would you need to manage your favorite stuff if Chrome does it for you so well?
After having ruled the search domain and annexing advertizing, Google is on its next new quest. No, not web browsers, but in reality a platform that is an online operating system. And not just a platform for JavaScript support, but a doorway for hosting on-line applications.
Now, in its quest to bring universality and simplicity to its browser, Google seeks to incorporate various components of the Firefox, IE, Safari and Linux functionalities, and this is where one of the Chrome security problems has already struck—a component from an older version of Safari was used, albeit it had a known vulnerability!
My fear is that the penchant for simpler form and function can lead to a false sense of secure product development, in that the simpler (or behind the scenes, more orchestrated) workflow and information flow can seem to be more controllable against security threats.
Not quite. In security, an old adage is Complexity = Simplicity * n.
If Google can add the Secure Products gene to its DNA, then that would really be Sustainable Security—one that could shift the player’s advantage hugely in Google’s favor.
Because I am big on information security, particularly security that is done right—Security that addresses information risk as directly as possible. Security that enables business and consumers to conduct their affairs without the fear of grave business impacts.
I seek Security that is Sustainable—Security that is designed not in one point in time, but with the potential to be dynamic and that grows to address newer threats. Security that covers the comprehensive data or product lifecycles— from creation through expiration.
This blog is one that mostly underscores Security done right— in industry, with organizations, through strategies and with creative solutions.
Sustainable Security is about doing Security right.