Monday, April 18, 2016

Security or Something Like It

An interesting conversation happened around me today about all the high-profile data breaches that have occurred and could they have been prevented. There was of course, the one lunatic who was valiantly arguing they could have but weren't because of some grand conspiracy.

The unfortunate thing was that at the core, he was correct. Security is possible, and not nearly as hard as we think. Just harder than we would like.

As I organized my internal retort I realized that cause and cure, like many things, are very much related.  So I wanted to write my thoughts while fresh, for your amusement.

The crux of making security accessible and easy is reducing the factors and the bits involved. The crux of making security robust and reliable is by increasing factors and adding through division to increase the number of bits involved.

Let me explain through gratuitous use of some over-simplification.

When logging in with a name and password I only have the two bits and the one step. If that login grants me access to a system that lets me access customers and their details and transactions that is easy for me to use.

If you want to hack me, just get my two bits and go to town on everything. This is vulnerable.

Today, the big thing is to add an additional factor, for two-factor authentication. This is just one part of the way to three-factor authentication is which about the most you can ask for with today's accessible technologies. A simple way to explain three-factor authentication is that requires something you are, something you have, and something you know.  In modern two-factor, we use a phone or fob as the "something you have" and the password is the "something you know". This is because we haven't really gotten wide adoption on "something you are" like fingerprints, retinal scans, or other bio-metrics. Some of you may have experienced with this for passport or other controls where they've taken your fingerprints or retinal scan but this isn't exactly day-to-day for most people.

When there is only one step, the authentication part is addressed by adding these factors and so they make it harder to use. If you want to address the other aspects of security, you also need to add more bits.

Going back to our example, suppose if I had split the data such that customer data was saved in one system and transaction data was saved in another. I've divided the data which adds more bits. Or I could separate the work into two steps (request work, commit work) done by two different actors. This is on the way to the Four-eyes principle which requires two people collaborate to complete an activity. Notice, they're both addition by division, one is data the other is people.

You could extend this again to real-time audit and detection systems that use the same technique to determine if the work being performed matches some normal profile. This works by dividing control into normal processing and oversight. It adds bits but catches discrepancies between systems.

In the end, it's easy to throw more encryption and say that it will fix any security vulnerabilities that might exist. In reality, unless the number of bits involved doesn't change, you're just pushing the vegetables around the plate. You can add factors to reduce entry vulnerabilities, or use addition by division to increase the number of bits and change your overall vulnerability profile.

You can have it easy, secure, or fast. Pick two.