Following my recent post on just how free America is when it comes to enterprise security and the CIO responsibility I had an interesting exchange on LinkedIn with a peer, Anders Rundgren of PrimeKey Solutions, who evolved the discussion. I like to share these conversations on our blog as I advocate the education and analysis of various solutions that exist now and may arise in the future.
Here is our debate on remote access security exploring which industries and verticals have embraced the latest technologies and which ones are still playing catch-up.
Anders Rundgren “The most telling statistic from our research is the nation’s apparent apathy towards remote access security.” I think one of the reasons is that the US Government with its PIV program never considered how this genuinely great initiative could be reused by the private sector including banks. Unfortunately, Microsoft who owned the desktop never thought of that possibility either.
Ray Wizbowski Icompletely agree with you. Since the establishment of HSPD-12 and all of the subsequent identity activity, the primary implementation has been the federal government with special focus on the DoD. While this has been a significant stride in protecting the government data networks, this has yet to push too far in to the private sector with the exception of defense contractors.
But I wouldn’t hang Microsoft on this one. They have actually been a strong advocate of this type of technology building the ability to use certificate based identities in the OS stack and developing the certificate management features into Forefront Identity Manager (FIM). Today, Microsoft employees use a .NET based smart card for physical and logical access. This mirrors the PIV implementation.
The real challenge from my perspective is the strong focus on network-based protection, leaving the user as the weak point in the system. And with the proliferation of mobile computing devices, you get a bit of a perfect storm of weak user access credential combined with users who are outside of the traditional network based security measures. There needs to be a balance on strengthening the end users’ online identity credentials coupled with the years of good work and investment that has been made in network security layers. Combine these together, as has been done with PIV, and you end up with a much stronger system that can protect remote access.
Anders Rundgren This is correct but this is entirely focused on the enterprise/government market. I.e. mainstream consumer activities like on-line banking or doing secure credit-card payments on the Internet haven’t gotten any attention by Microsoft. The banks therefore build their own client software.
Ray Wizbowski You are right. The real practical consumer applications for this technology have not been realized, leaving a gap for cyber thieves to exploit. I am hoping that, with the shift to EMV by 2015, we might see some of the PIV like benefits make it to the retail banking industry to help reduce fraud in online banking and ecommerce.
So there you have it. 2013 will be one to watch as we move closer towards EMV adoption. We need to stay two steps ahead of the fraudsters and cyber thieves and only by sharing and discussing the details can we ensure best practices are in place.
Do share your thoughts below too.