Don't Get Mad, Get Furious: Part II
Last week I wrote a short blog on Equifax and why massive data breaches continue to happen. I also proposed that hackers are not a step ahead of us as many proclaim but rather we are a step behind due to business rules, policies and short term performance mandates.
I received numerous e-mails and comments via social media agreeing with my perspective and a few challenging the tenet that Cloud or Server biometrics can make it more difficult for hackers to access large valuable data sets without creating personal risk.
In response, I stated "there is a place in the market for both device and cloud/server based biometric security, but there is a lack of understanding on the benefits, risks and applications of both." I highlighted the personal risk and significant reward tied to disruptive change in enterprises. Many security executives see personal or career risk greater than the business risk that may be required to implement changes to address the problem.
Let's look at leaders and followers and my definition of both;
Leaders are those that research and understand a particular problem or challenge, they solicit information from multiple sources and maintain an open mind. They are passionate and keenly conscious of the details while keeping the big picture in mind. Leaders will make a decision based on the facts and risk analysis and will put it all on the line both personal and professional to solve the problem. Most good leaders will always keep the organizations best interest at heart.
Followers generally have a predisposed perspective supported by the thread of information and analysis that they follow. They will bend any and all information, including risk analysis to support their theory or perspective... Many times they will miss the breakthrough that may lead to a better approach to the problem or challenge. Personal risk and positioning will nearly always take precedent over the organization's best interest.
You may be asking why I am bringing leaders and followers into the thread. Simply put, the IT industry is riddled with both. I would bet that if the security executives at Equifax could do it again they would have spent millions of dollars to insure that their software was patched and updated to the latest security versions to protect their organization and the consumer data they manage.
All this is pretty dark and may leave you feeling hollow, but please don't dismay!! There are plenty of leaders out there, and perhaps the Equifax breach will catalyze the emergence of those who will determine the risk of not doing something far outweighs the disruption that a new and innovative solution may require. They will stand up in the next executive team meeting and demand attention and ultimately call senior management to the carpet to be sure they do everything to protect consumer assets.
I can personally attest to the short term change that this breach is having on our industry. Case in point; there is a very large financial organization that we had been working with over the past 6 months. In June they decided to put their security project on hold until 2018. Lo and behold, this past Monday we received a call that they wanted pricing to move the project forward, and on Thursday, they placed a purchase order to get started!
That is kind of take-charge behavior that can change the dynamics of security forever! It will impact consumers and enterprise users alike and may require a change in the way we access information or consummate transactions. In return it will insure a pervasive level of protection that we have not seen to date.
I am encouraged, and you should be too. If the example I gave foretells this change we will experience a more secure venue that will keep us a step ahead of the hackers who are taking advantage of our vulnerabilities not creating them!
As to the discussion on "Server/Cloud vs Device Only" biometrics…..it is time to face the facts; In a well-architected Cloud/Server biometric system that includes liveness detection at enrollment and subsequent capture it is almost statistically impossible for another individual to become you or me. Without going into exhausting detail (you can call us for that) your biometric is public information…your fingerprint was left on the door when you entered your office today or on the glass you used in a restaurant. Your face has been surveilled tens of thousands of times by public security cameras dotted around the world, and your photos are on Facebook. It is a given that a bad actor can obtain your measurements, so the handwringing about someone stealing your centrally stored templates misses the point – well architected systems distinguish YOU from someone possessing your measurements. A bad actor with your biometric measurements is not able to steal your identity, because they still are not you. To prove your identity in that well-architected solution, you must present yourself to a scanner, and then have biometrics securely captured, verified through liveness checks then presented to the cloud/server app via encrypted transport. It's the integrity of that process, which assures a real person is being measured, and prevents publicly-available measurements to be inserted into the process by an imposter.
The nay sayers need to get educated on the technology that is currently available. They need to stop spreading FUD (Fear, Uncertainty and Doubt) and listen with an open mind, asking the right questions and referencing those that are doing it right.
We have experience with a Fortune 50 company that would not allow a device authentication from their 300K plus enterprise users for access to their internal networks, applications and information. The Chief Security Officer and security team have spent 8 years maturing and developing their "Security Infrastructure of the Future" around the platform that we developed and have been enhancing for over 15 years.
Finally, I encourage you once again, "Don't Get Mad, Get Furious" because there are solutions to the problem of identity insecurity that are available today!
Chairman & CEO