The storm rages on – this week more revelations have come to light over the extent of the breach of Sony’s gaming network and the apparent lack of protection associated with the way users account information (including credit card details) were stored. This is just another wave of bad news washing over the online world. This along with the other recent event s which I covered in my first post on Infosec’s perfect storm continue to highlight the need for a better way to prove you are who you say you in a virtual world.
This past month, this issue became front and center in the U.S. with the unveiling of President Obama’s National Strategy for Trusted Identities in Cyberspace (NSTIC) [see my blog, President Obama’s New Role: Identity Protector in Chief]. This effort was launched to try and find a practical solution for protecting citizens from identity theft and online fraud. This problem is big – according to a recent Javelin Strategy and Research report, in 2010 companies lost approximately $37 billion to online fraud or theft and 8.1 million U.S. adults had their identities stolen.
With today’s technology, this is really unacceptable. But this is not just my opinion. Commerce Secretary Gary Locke, speaking at the NSTIC launch in April, held at the U.S. Chamber of Commerce in Washington D.C. said:
“With $10 trillion worth of commerce online, password security just won’t cut it.” – Commerce Secretary Gary Locke
In fact there seems to be a chorus of influential industry voices now calling for change as wave after wave of these attacks wash over one company and the next, including those responsible for the security infrastructure of the Internet. In an article on the compromise of a trusted certificate authority, Hackers Step Up Attacks on Security Firms, Infoworld’s Robert Lemos quotes Josh Corman, research director of the 451 Group:
“What is now required is for us to ask what kind of evolution and changes do we need to thwart those attackers who are more talented and more persistent” – Josh Corman
Good question. How do we best navigate the troubled waters of this perfect storm? The answer – with strong authentication and certificate-based identity credentials.
Certificate based identity solutions (i.e., public key infrastructure (PKI) with smart cards or USB credentials) have been around for a while, but have been saddled with the impression that they are difficult to deploy and more difficult to manage. While this was true in its infancy, the technology has evolved and is ready to take on the challenge that is staring us all right in the face.
With the sophistication and persistent nature of attacks, the increase of regulatory requirements across many sectors, and the passing of legislation – moving to strong authentication must be a top priority for protecting both corporation and individuals form online fraud.
One of the most interesting recommendations covered in the NSTIC strategy, was the call for the use of certificate based identity credentials to ensure the validity of online identity. While this will not answer all of the challenges within the online world, it does provide a way forward to secure the identity of individuals online and should be one of the most compelling security measures available to navigate the troubled waters ahead.