Print
Discuss
Send to friend
RSS feedsTo paraphrase the estate agent's maxim, security is about authentication, authentication and authentication. Most security problems occur because there is no way of verifying that a particular piece of software is actually what it claims to be. The rest arise because there is no way of verifying that a particular user is actually who they claim to be. Authentication goes to the heart of current IT security headaches.
Which is why I was fascinated to talk recently with a software company that claims its product stops buffer overflows and every other form of malware. Better still, SecureWave's tools do this without requiring a recurring subscription to keep the tools updated.
The SecureWave system, like those of its competitors, maintains a whitelist of programs that are allowed to run. Rather than using a list of program names, the whitelist is based on digital signatures of each piece of approved software, and is encrypted to prevent anyone from corrupting it.
When combined with a strong user authentication system, such as RSA's time-based token, much malware, spyware and computer fraud could be stopped in its tracks.
Of course, people are not foolproof. Tokens could be stolen, and people can be talked into bypassing security systems. Convicted hacker Kevin Mitnik describes the problems in his book The Art of Deception. And, as security guru Bruce Schneier recently pointed out, strong authentication systems can be bypassed by trojan software - unless something is done to prevent trojans from running.
So for IT security to improve, we need to start asking people and software to prove their identity before allowing them to do anything. The days of allowing unsigned software to run free and wild on your servers are numbered.
Right now we need to decide who will own the user authentication tokens. I don't know about you, but the last thing I want from my bank or any other supplier, is for them to give me a security token to log into my account.
Before long I'd need to carry a suitcase full of tokens for the various accounts and personas I use in my daily life. It seems to me that a security token should contain no personal data and should be usable by any number of applications, each not necessarily aware of any other applications the token might be used for. I'd rather buy my own token and connect it to the systems that I use.
Which is why I was particularly interested by security specialist RSA's announcement last month of an authentication service designed to let large retail organisations such as banks provide strong authentication to their customers without either party needing to invest heavily in the back-end security technologies. Whether the RSA scheme itself turns out to be a success or failure is not very important to me, but it is the first sign of a new era of strong authentication for all.
Phishing attacks and other types of identity fraud mean simple passwords and even chip and PIN security for credit cards may soon be a thing of the past. The day will soon come when we will all want to own our own security token in the same way that most people own a wristwatch today.
del.icio.us
Digg this
reddit!
