Talk About Quality

Tom Harris

Security: Small is Beautiful

with 2 comments

A Story

Imagine a new procedure for your next group event. First, I tell you that you have too much stuff, so leave all your bags — backpacks, jackets, etc. — on the sidewalk outside. Then I round up some friendly volunteers off the street, and pay them minimum wage to watch your belongings. Finally, I gather some more volunteers and send one to each of your homes to browse around while you’re not there.

With Too Much Personal Data, Security Is Broken

Sounds crazy, but this is the current situation with information security. With Moore’s Law to thank, we all have much more personal data — mostly photos and videos — than we can store and protect ourselves. So we put them “In The Cloud” on some provider’s remote server. Other personal information such as financial, medical, and government records, are stored at bank, hospital, and government data centers that don’t always do the greatest job of protecting them. (Think store credit card breaches.) Meanwhile, on the most common computer we all operate — the smartphone — we run apps written by strangers that ask permission to do just about anything on our phone. And we grant that permission.

Self-Securing to the Rescue

Is there any hope? I think there is — there has to be — but it’s not in more network firewalls or PC antivirus programs. (Still, better keep those running until better alternatives are available!)

Here’s what I see as trends for a 3+1 solution:

  1. Firewalls not per network, but per application: protecting itself against virus infiltration and data theft
  2. Every task individually sandboxed, so that no task can be hijacked to do hackers’ bidding
  3. All data encrypted so even if it’s stolen or intercepted, it’s not useful or public

All these methods are available, some even with operating system support and commercial products.

The “+1”: Authentication

With every application and file locked down from the wrong people, the rightful owners still need access. So we need reliable, personal, easy-to-use authentication as well. Biometrics seems to be the way to go, but it has to be distributed back to the owners — each of us — otherwise we’re just creating another central database waiting to be stolen.

Challenges

While these technologies are on the way, there are still challenges from competing interests and behaviors.

One is governments — even the ones trying to protect us. The first encrypted e-mail service shut down rather than submit to government surveillance, and a second one followed soon after, even without any immediate legal threats.

The other is us — businesses and clients not ready to do our part for personal information security. I could mention easy-to-guess passwords, but here’s a better example. The other day I received a personal file by e-mail from an insurance company. The file was attached, encrypted. Sounds fine, right? Except the insurance company’s software generates the e-mails with (a) the encrypted file attached; (b) the text of the unencrypted e-mail saying that the password is my id number and (c) my id number in the subject of the e-mail!

My Prediction

It’s going to take a while, and more denial of service events and data breaches, but the current situation is untenable. Governments and the information security industry, including big players and startups, will work together to develop and deploy standards, and easy-to-use systems, that delegate security to each application and file, and authentication to each legitimate user.

Until then, go outside to the sidewalk and see if your stuff is still there where you left it.


I presented these thoughts at the recent CyberJLM #3 in a 5-minute, no-slides, lightning talk format.

Written by Tom Harris

December 28, 2014 at 11:37 pm

Posted in Cybersecurity

2 Responses

Subscribe to comments with RSS.

  1. Tom,

    I agree with what you’ve written but won’t we fail at this until we reconcile business models? FB/whatsapp/apps/google/ etc. are “Free” because they want access to such data? When I download an app, it asks for all sorts of permissions (at least Android tells us the details before installing, unlike iOS).

    Could I pay for a non-free version that didn’t do such things? I recall options for some things in the past where one could subscribe to an ad-free version that wouldn’t be free. Is that an option for social media/networks? More importantly, is that viable?

    Rahul

    Rahul Tongia

    January 5, 2015 at 8:21 am

  2. Hi Rahul,

    You’re right that business models have to be reconciled. “Freemium” with pay for “no ads” or “fewer permissions” is one option. But as you hint, ad-supported apps have become pretty much accepted by all participants. I believe that the next step is to make apps transparent and authenticated:

    Transparent

    I want to know why the app provider wants my data, what they’ll do with it, where they will or won’t store it, and how they’ll protect it.

    Authenticated

    I want to know reliably who the app provider is who is explaining and promising these things.

    Reaching such a state will require progress in the mentality of app providers — that they acknowledge individuals’ rights to know the above.

    And then it’s up to app deployment infrastructure providers, together with human interface experts, to design an app deployment infrastructure that supports communicating these things without distracting users from enjoying the apps for their and the app providers’ mutual benefit.

    Tom Harris

    January 5, 2015 at 11:53 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s