I remember when the movie The Perfect Storm hit the theaters in 2000. My wife and I were out for dinner with my parents before the movie when my mom said “why would you go see that movie – don’t you know they all die?” Needless to say, we did not know the ending which made the film a little anti-climactic to say the least.
So what does this have to do with infosec and the perfect storm that seems to be forming as I type? Much like my mom’s movie spoiler, I feel like we have known the ending for a long time – username and passwords need to be replaced.
To make a perfect storm you need several converging factors. In the movie, there were three storms crashing together right over George Clooney and Mark Wahlberg’s boat. In infosec, there are many major forces that are clashing together over today’s enterprise networks. These include:
- A series of very serious, high profile data breaches with global implications – most notably Sony, RSA, WikiLeaks and Epsilon
- The advent and success of Advanced Persistent Threat (APT) attacks
- The continued strengthening of regulations such as HIPAA, PCI and SOX that stress privacy security and stronger controls over the access to stored personal information
- Draft financial guidance from the FFIEC calling for stronger, two-factor authentication for commercial account online banking
- Now regular takedowns of massive botnets that demonstrate the scale of the problem, such as Coreflood with two million PC zombies and the Mariposa botnet with 13 million zombies, including PCs in half of the Fortune 500 (and I agree with PCWorld’s Tony Bradley that these takedowns will have little impact in the grand scheme of things)
- The strong economics of moving to cloud-based computing, which is re-shaping IT, and its companion need for certificate credentials that lock down remote resources and limit access only to strongly authenticated individuals
- On the positive side, pervasive out-of-the-box support of leading IT infrastructure software components for certificate based identity credentials and tokens, and their integration with directory services and access management layers
With these strong forces at play, it is time to look at enterprise security controls and move to technologies that provide strong authentication and increased access protection. This includes onetime password (OTP) and for areas where advanced security is needed, certificate based identity solutions.