Identity is key. It matters if you’re about to purchase online, make a change to your network or even browse the web. In the business environment, every transaction should be pinned and associated to an identity. Civilised countries commonly dictate this requirement, allowing for the freedoms to choose what level of trust you pin to assumed identity.
Whilst many of my colleagues are sat in Las Vegas at Splunks’ .Conf conference, I’m actually writing this poolside a few thousand miles from home. Watching the TV and listening to radio is subjecting me to a constant steam of foreign advertising. I was actually ignoring most of it, when it suddenly dawned on me that there was a common theme. There are loads of firms in America currently advising protection against identity fraud.
Diving for identities
In the good old days identity fraud required you ‘dumpster dive’. You had to capture documents about the individual you wished to imitate. The mass purchasing of paper shredders (worst Christmas presents ever!) soon stopped that. In the modern digital era though, you don’t even need paper to assume someone else’s identity.
Impersonation by intercepting someone else’s transaction, or using a colleagues account because they have different privileges to yourself cause harm and are a costly risk to business. Both of which are easily prevented with well implemented technical security controls.
This is where identity is key again. Time and time again I find myself referring people to NIST Special Publication 63. For those bureaucrats who insist of having a written reason why before they will consider anything, this is the document for you.
I’ve given advice to many a digital programme over the years, many of whom have fallen foul of trying to apply either too much, or too little security. They implement strong authentication systems without consideration to identity. Not only do they run the risk of higher implementation costs, they also destroy the ‘user experience’ when in reality they could have opted for lesser (and better) solutions.
So what’s with all the adverts ?
So watching the TV over here right now there is an Infomercial for something called “livelock”. I’ve not looked into this product too much and I don’t mean to pick on just this one solution. I’m sure there are dozens far worse advertising on TV right now, but I’m going to randomly chose this one to talk about. I had forgotten just how much protection we get in the UK from unsubstantiated claims. This informational ends full of them.
Unlike commercial CyberSecurity insurance, it works on people purchasing a subscription. You then get a host of ‘Norton’ products (can anyone hear alarm bells yet? ) and an insurance policy to claim for $1M of legal fees if someone assumes your identity. But that’s not all, you get $25k for other costs to put things right. What’s more, as part of the service – and this is a big selling point – you get an App to constantly monitor your identity. Think of it as a ‘live’ feed of your credit score. All good things – but there’s a bit of a catch here.
Don the tinfoil hat
I maybe over cautious, but I see a number of security flaws here. First of all is the sign up process. All you have to do is provide your name, email, Date of Birth and the usual trawl of common answers to security questions (mothers maiden name, first car you owned, name of first pet, etc )
This is now website/company that now has enough to assume your digital identity anywhere. The next stage is the Terms and Conditions, in which you are legally allowing them to assume your identity for the basis of monitoring your identity. Call me paranoid, but surely the best way to protect your digital identity is not to give it away to a company you don’t know?
These adverts have prompted me into action, writing a new blog post after a hiatus of a fair few months. Purely coincidentally though, I have another reason to write about this. As a company, we’ve been asked to present at a ‘Yorkshire 30’ lunch session. In conjunction with Jelf, I’ll be doing a slot on CyberSecurity insurance and what it actually means when something goes wrong. For those in attendance, you already know that protecting digital identities is going to get a strong mention.
Elections are rapidly approaching in both the UK and the US. Digital identities are now pinned to physical and there is larger risks of electoral fraud. With huge budgets and nation state interference, we need some of the ‘big players’ to stand up and help. They need to promote better identity protection. For clarity, I’m not talking about Facebook, Twitter or any of the other Social Media companies out there. What we really need right now is BAe or Lockheed style company to ethically help out.
Final reminder: Identity is key
Don’t let identity protection mechanisms be controlled by the SnakeOil salesmen.
Splunk Live! London 2019
Identity is key. It matters if you’re about to purchase online, make a change to your...