Last updated: 20 May 2014
A question that many an individual, firm or hacker grapples with. Given the rapid transformation of the digital landscape, it’s only natural that security has evolved at a similar speed, requiring us all to stay abreast of the latest developments and to ensure we have digital security.
We believe that digital security is really all about having trust in the exchange of data between a user and a network or the cloud, or between a user and another user through a network – and the way to test this is with a trusted digital identity.
So, what does that break down into? There are ultimately three pillars when it comes to data security:
– Integrity: we must be sure that the data we’re trying to secure has not been modified or corrupted. We must also be sure of the source: are we certain it originates from the right person, and is that person who they claim to be?
– Confidentiality: We must keep things private or limit the data’s availability to certain, pre-specified people or organizations.
– Availability: We need it to work so that interactions and transactions etc. can run conveniently all the time
How does the system work? It starts with the reliable authentication of people prior to granting, or denying, access to a given service.
There are many different ways of authenticating but they all come down to a person having something only they know (e.g. a password) or something unique they “are” (like physical characteristics, i.e. a fingerprint or other biometrics), which they communicate to the Service Provider via the cloud to prove his or her ID. This lets them access the relevant service.
However, in this process there is the need to transmit unique information to the cloud and here is the vulnerability. If this information is intercepted then a third party will have your authentication credentials and potentially perform “identity theft”. Therefore, multiple procedures have to be put in place to secure what was originally a simple authentication process.
Firstly, identities need to be protected throughout the entire communication chain, from the keyboard asking you for a password or a fingerprint sensor to access the cloud. Exchanges of information with the network should all be encrypted, using encryption keys and authentication software, on both sides (user and network), has to be stored and running in secured computers (called secure elements for the user’s device side or HSM (Hardware Security Module) for the server side). We use dynamic random challenges-responses so that each side proves its ID to the other side without replaying the same exchange of information twice.
To further reduce the risk of massive attacks on central ID databases and to enable fast transactions we also can actually execute the user identification “locally” i.e. within the device that stays in the user’s possession. This is what is typically done when you pay with your EMV Chip & PIN payment card at the store when your payment is immediately accepted. In fact, when you type in your secret PIN, your payment card checks it directly, accepts the transaction after specific checks and generates a digitally signed authorization that will be sent to the bank later at night so you don’t have to stand in line waiting for the confirmation in real-time.
These “strong authentication” methods have become an industry standard. Secure elements, those secure computer chips running dedicated security software and protecting identity credentials deployed in their billions have become part of our everyday lives. In our pockets, each of us have several of those, in our cell phone or wallet and the exponential growth of network interactions calls for further and wider usage of them in the future. By providing those secure elements and authentication and identity credential management servers, Gemalto provides all the technology components needed to establish trust in digital interactions
The amount of valuable data held on networks has grown massively and the computers and mobile devices we use to access it have relatively weak built-in security defences. This is why we’re seeing more and more hacks and security breaches among major global companies over recent years (despite most of using advanced security technology for some of their processes). The good thing is that things are changing and the technology and standards to correctly protect our mobiles and PCs are available with the realistic hope that, in the coming years, what we do online will raise less fear of malicious use.
So, what is digital security? It’s what enables us to take advantage of the digital opportunities and a digital lifestyle.