Why identity protection is the next phase in security
Talk to any security expert, and sooner or later the line “It’s not a case of if you are hacked, but when” will be trotted out. It’s a good line because it is true and demonstrates how perimeter-style security has fallen by the wayside.
But consider the implicit implications of everyone eventually being breached, not as a sysadmin or security specialist, but as a user of services, and you will realise what it means for your personal information.
Whether today, tomorrow, or next year, eventually the personal information you have handed over to third parties is going to find its way online, and there is not a thing you can do to stop it.
SEE: Special Report: Cyberwar and the Future of Cybersecurity
If the chances of an organisation being hacked on a long enough timeline eventually hits 100 percent, then as a user with personal information stashed in silos all over the internet, on the same timeline the user is likely facing a percentage of information leakage that is in multiples of hundreds.
While as an industry we appear to have accepted the pragmatic security arguments of this scenario, the situation for privacy and the individual is quite the reverse.
As nation states and their agencies gear up for cyber conflict in one form or another, smaller organisations are going to be crushed, and we are unprepared for the fallout.
As an example, in the alleged campaign by Russia against the US Democratic Party, donors to the party have found their personal information included in the material posted to WikiLeaks.
Gizmodo reported the donor information included plain-text passport numbers, social security numbers, and credit card information, as well as the usual gamut of personal data such as email addresses, addresses, and phone numbers. That’s more than enough information to begin causing identity theft havoc, simply because an individual donated to a political party that a world power has a beef with.
With governments around the world squeezing IT budgets, and all but multinational business being unlikely to keep up with the sheer scale of the security threats facing them, data breaches are going to continue, and the impact of them increase.
Increasingly, organisations are beginning to talk about trust, and that’s for one simple reason: Because they need to convince users they are trustworthy enough to hand over genuine data in the battle for personal information.
This week, I attended the launch of a fintech company, Data Republic, where de-identified user data exists to be leveraged to the hilt and is regarded as an asset class. It’s not a new state of affairs, but it shows that all the firepower is on the side of gaining and using user data, not protecting it.
Hopefully in the near future, an increase in identity-protection techniques appear that work on the assumption that since personal data will leak eventually, the best way to guarantee you are not impacted is to make sure your genuine data is never there.
The problem with protecting genuine personal data and information such as biometrics is you only get one shot at it. Unlike in the rest of the IT world, it is hard to change a name or a fingerprint and start over afresh.
One technique to make sure personal information is protected could be to take the tokenisation used in the payments space and extend it to all information that vendors seek. As long as my bank or the card issuer give their approval, then vendors selling purely online products should have no interest in whether my billing name is Harry Highpants, Bugs Buggy, or Prince of Persia, or what part of Sydney I reside in.
If we can have one-time one-use credit card tokens, then surely we can have one-use identities that lower the impact of data breaches, in the private sector at least — the public sector is a much more complex and rotten kettle of fish.
As companies have shown themselves unable to securely store our valuable personal information, one way to fight back would be to ensure the data they have is less valuable.
This is a case where the market needs disrupting from an external party — there are too many vested interests at play that rely on exploitation of personal data or accept work from parties that do.
Whether it is a startup, a certain phone manufacturer, or even the banks themselves that eventually crack the identity protection market, it is time that consumers began to secure and treasure their information as much as the organisations that make money from it.