Security: Small is Beautiful

with 2 comments

A Story

Imagine a new procedure for your next group event. First, I tell you that you have too much stuff, so leave all your bags — backpacks, jackets, etc. — on the sidewalk outside. Then I round up some friendly volunteers off the street, and pay them minimum wage to watch your belongings. Finally, I gather some more volunteers and send one to each of your homes to browse around while you’re not there.

With Too Much Personal Data, Security Is Broken

Sounds crazy, but this is the current situation with information security. With Moore’s Law to thank, we all have much more personal data — mostly photos and videos — than we can store and protect ourselves. So we put them “In The Cloud” on some provider’s remote server. Other personal information such as financial, medical, and government records, are stored at bank, hospital, and government data centers that don’t always do the greatest job of protecting them. (Think store credit card breaches.) Meanwhile, on the most common computer we all operate — the smartphone — we run apps written by strangers that ask permission to do just about anything on our phone. And we grant that permission.

Self-Securing to the Rescue

Is there any hope? I think there is — there has to be — but it’s not in more network firewalls or PC antivirus programs. (Still, better keep those running until better alternatives are available!)

Here’s what I see as trends for a 3+1 solution:

1. Firewalls not per network, but per application: protecting itself against virus infiltration and data theft
2. Every task individually sandboxed, so that no task can be hijacked to do hackers’ bidding
3. All data encrypted so even if it’s stolen or intercepted, it’s not useful or public

All these methods are available, some even with operating system support and commercial products.

The “+1”: Authentication

With every application and file locked down from the wrong people, the rightful owners still need access. So we need reliable, personal, easy-to-use authentication as well. Biometrics seems to be the way to go, but it has to be distributed back to the owners — each of us — otherwise we’re just creating another central database waiting to be stolen.

Challenges

While these technologies are on the way, there are still challenges from competing interests and behaviors.

One is governments — even the ones trying to protect us. The first encrypted e-mail service shut down rather than submit to government surveillance, and a second one followed soon after, even without any immediate legal threats.

The other is us — businesses and clients not ready to do our part for personal information security. I could mention easy-to-guess passwords, but here’s a better example. The other day I received a personal file by e-mail from an insurance company. The file was attached, encrypted. Sounds fine, right? Except the insurance company’s software generates the e-mails with (a) the encrypted file attached; (b) the text of the unencrypted e-mail saying that the password is my id number and (c) my id number in the subject of the e-mail!

My Prediction

It’s going to take a while, and more denial of service events and data breaches, but the current situation is untenable. Governments and the information security industry, including big players and startups, will work together to develop and deploy standards, and easy-to-use systems, that delegate security to each application and file, and authentication to each legitimate user.

Until then, go outside to the sidewalk and see if your stuff is still there where you left it.

---

I presented these thoughts at the recent CyberJLM #3 in a 5-minute, no-slides, lightning talk format.

Advertisement

Written by Tom Harris

December 28, 2014 at 11:37 pm

Posted in Cybersecurity