A number of things are crippling trust in the Internet and email: identity theft, email spoofing, fake SMS, fake websites, fake news, cyber criminals meticulously building fake people profiles, highly-targeted socially engineered phishing attacks ... Where will it end?
The answer in part lies in “proofing” and the security industry needs to get on top of this. It is all part of the identity management conundrum – providing the surety that you are who you say you are. And it has implications for the medical, finance, and the new sharing economy as well.
China has started with its mandatory requirement to verify and enforce that all people on-line are “real” with a traceable address etc. This not only should slow impersonation and criminal use but could help control credit card fraud and identity theft. It may be a breach of privacy rights but its Cyberspace Administration of China (CAC) has that power.
Ethan Ayer, chief executive of Resilient Network Systems, explains the next steps in Identity and Access Management (IAM) solutions.
“The key to IAM will be a combination of contextual access, device-specific credentials, and proofing – all of which should leave no doubt that you are who you say you are,” he said.
Many organisations today use traditional IAM systems to secure resources by attempting to establish the identity of someone requesting access. In 2017 we'll see an increased focus on safeguarding digital assets via “context” rather than just "identity".
But, as we all know too well, identity by itself in the online world is no longer sufficient. Instead, we need to understand the complete context of any access request.
New technologies that focus on contextual access can connect to online databases and other authoritative sources to answer sophisticated questions like “Is this person a doctor?” or “Is this a trusted device?”.
It should also go much further – why does this person want to access the data at midnight from Russia when they normally live in California?
These additional attributes augment identity so that organizations can be more confident that they are granting access to the correct parties.
To the average person, this means your smartphone becomes your password, and this will be a big improvement to existing pin or passwords based credentials.
Some set-up is required, but once you crypto-logically "bind" a user account to a physical device the world is your oyster in terms of balancing security, convenience, and privacy.
Being able to ask the device, and hence the user, to enter a pin, use a biometric or just "be human" is a great extra factor.
The year 2017 will be first where proofing services (not to be confused with authentication services) grow up and get online.
Everyone knows what it is like to be proofed when you are issued your driver’s license. It is time-consuming, rigid and frustrating, but the result is your license and it is worth the trouble because it is broadly trusted.
Replicating this process online is a privacy minefield given how many bad actors out there would love access to all the value-able personally identifiable information (PII) you must disclose to prove who you really are
New technologies exist that solve the privacy problem through careful obfuscation and compartmentalisation, but more work needs to be done on the standards. NIST recently highlighted the importance of proofing with their draft Special Publication 800-63-3A.
The security industry must focus on online-proofing because it is the foundation that makes credentials trustworthy and enables e-commerce, sharing economy and so much more.
Ayer is 100% right – we need to prove who we are and who we are transacting with. Past efforts to do this on a state or even a global level have spectacularly failed.
Look at the reviled “Australia” card announced by Labor Prime Minister Bob Hawke in 1985 and abandoned quickly due to privacy advocates.
Oh, to have real proof (yes, a passport is proof but it is not mandatory for Australians to have one) to stop welfare, voter, and ID fraud.
The problem is that there are too many silos of information and perhaps that is what the privacy advocates want.
But the Australia card was 31 years ago. Perhaps it is time the “industry” came up with a global, 100% foolproof, solution – until it is cracked by cyber criminals.