By Taher Elgamal, Axway
The entire industry spends a lot of time and effort trying to secure machines and data — putting encryption here, security measures there, passwords everywhere — without taking action to secure the most important thing: who the users actually are.
Encryption only works if access control is done right. If you give an encryption key to the wrong guy, the encryption is meaningless. We’re a funny industry that way: Despite the fact that people talk and talk about authentication, identity and access management, encryption remains by far the weakest area of the Internet security industry. As we enter bubble 3.0, with all the social networking companies growing up and going public, and even greater volumes of private information travelling across the Internet, it’s my hope that the industry will start to pay serious attention to this issue and ensure identity protection is done right.
The need for identity protection spans many scenarios — logging in to work machines, logging in to services on the Internet, using a password or RSA SecurID, and on and on. But to date there has been no real industry focus on making this aspect of the business work the way it should. From a security standpoint, there’s certainly interest in authentication technologies, but what’s lacking is a mechanism for consolidating the multiple identities, logins, passwords, etc., that we all use and continue to create.
The industry must find a way to consolidate authentication and identity protection. But it’s not easy to see from here exactly how we will reach that goal. We need a much more efficient way of handling multiple identities. Ultimately, passwords must go the way of the dinosaur, and stronger authentication techniques must come into play.
Consider the March 2011 RSA SecureID incident. Bad guys succeeded in putting malware on machines that generated the credentials people use for logging in. This incident characterizes the problem I’m describing — someone who was not supposed to have access to a machine succeeded in getting access to that machine, and then all they had to do was defeat the login procedure. Until we come to grips with the need for stronger authentication, these sorts of incidents will continue to happen.