A Look into the Disrupting Industry of Cyber Space

Jerrod Chong, VP of Solutions, Yubico
355
549
124

Cloud computing roared into this millennium with promised efficiencies, cost savings, guarantees of lightning-quick deployments, and assurances that companies could finally focus on their core competencies leaving computer networks to the pros.

It was an exciting rush forward, but a few important elements continue to lag behind — most notably security. Today, that original omission contributes to thorny global issues, including password theft, data protection, encryption, privacy, and trust.

These are modern challenges for the cloud, where users often don’t know where their personal and other data resides, or what is ensuring its safety.

Cloud vendors, however, are not without awareness or concern. Hackers have pilfered millions of user records including names, passwords, account numbers, and other personally identifiable information (PII). But technology is in a period of innovation that is modernizing security constructs such as authentication, authorization, and encryption with a goal of addressing these global issues.

Application Security

Today’s problems emanate from many areas. Application development and software updates are faster and more scalable than ever with online development tools and repositories, a variety of code hosting services, and app publishing with continuous integration done at lightning speeds. This often means a slow, careful review of security becomes a quick glance, or is left for someone else to solve.

  The best security practices should mandate encryption whenever and wherever possible, despite the global debate that followed this year’s Apple-FBI showdown. 

The current hacking environment proves security has long been an afterthought in both development and deployment, from insecure access to code repositories to reckless distribution of signing keys.

This speed coupled with these shortcuts can result in security flaws that allow hackers to install malware and impersonate users and/or services. The consequence of these bad practices escalates further when hackers use their initial intrusion to launch additional attacks on privileged accounts. Not only is user trust lost, but the service itself is compromised.

Today, second-factor authentication is used by forward-thinking sites to protect access. And modern application frameworks such as The Update Framework, are incorporating hardware-protected root keys, asymmetric cryptography and tighter API authentication security to improve the state of application development.

User Identity - Federation and Authentication

Security advances, including trends around authentication and authorization, aim to combat these threats and provide even more protections. Time, innovation, politics, and court rulings will tell if these efforts can change the current storyline.

The industry needs to step up and work together on creating more open standards while limiting the growth of proprietary technology stacks.

Modern identity management and authentication proposes a logical starting line, which already has seen two of the largest identity providers, Google and Microsoft, step up to compete with offerings that promise cloud-based identity-as a-service (IDaaS).

Standards such as the Internet Engineering Task Force’s OAuth protocol and its derivatives, such as OpenID Connect, are providing authorization, federated identity, and user-managed access (UMA) for protecting access to PII. Identity federation limits the number of logins a user needs to access their plethora of cloud applications. This offloads the burden and risks of password onboarding and management from cloud and web-based application providers.

The FIDO Alliance has created strong authentication based on public key cryptography that runs the gamut of authenticator choices from hard tokens to biometrics on desktops, mobile devices, or smartphones. These authenticators work over various modern transports such as USB, Bluetooth, and Near Field Communication. FIDO authentication protocols work in tandem with federation, allowing users to securely authenticate with a credential that eliminates using the password as a security gate. In addition, the World Wide Web Consortium (W3C) is standardizing new web authentication APIs for use with any browser.

Encryption

The best security practices should mandate encryption whenever and wherever possible, despite the global debate that followed this year’s Apple-FBI showdown.

Both devices and services should use encryption to preserve the safety and integrity of data. While debate on this topic will continue to churn in political arenas, the effectiveness of encryption to protect information and privacy is not in question.

The jury is still out on whether attacks using quantum computing is feasible, but systems and devices need to be flexible to adapt to new techniques. This requirement means open standards must replace proprietary solutions.

The combination of these innovations offers greater security for both service providers and end users. But to reach this goal, developers need to move security near the top of their feature lists, service providers have to demand ease-of-use to ensure adoption, end users need to grasp the value of their personal data and incorporate appropriate security measures into their digital lives, and governments need to establish precedents for prosecuting hackers, and punishing organizations and vendors that fail to deploy and maintain adequate security.

The security challenge at hand is figuring out how to store less user data, and have it be protected by better security. Today, cyber criminals have the upper hand, but there have been no concessions, and the game is far from over.

Read Also

The

The "Black Box Paradox" in Big Data Analytics and Data-Driven Modeling

Daniel Lingenfelter, Staff Engineer, Seagate Technology
The Storm Behind the Cloud: Ushering In the Next Era of Innovation

The Storm Behind the Cloud: Ushering In the Next Era of Innovation

Merijn te Booij, Chief Marketing Officer, Genesys
Cloud: Enhancing Truly Unified Communications for Businesses

Cloud: Enhancing Truly Unified Communications for Businesses

Ken Bisnoff, SVP of Strategic Opportunities, TelePacific
Text Analytics: The Art of the Possible

Text Analytics: The Art of the Possible

Dr. Anne Hunt, EVP Products, Finch Computing