The trust factor
A company’s reputation now hinges on how well its IT security systems authenticate users and protect – and respect – customer privacy.
Trustworthiness is going to become a competitive differentiator – people will no longer choose their banks depending on the distance from their homes or their interest rates, but on their trustworthiness.
So says Simon Perry, VP of eTrust at IT management software company CA: the fact that such businesses are increasingly promoting their proven track-record in security as a selling point means we are at the tipping point today.
There are already parallels in other industries. “Why do different airlines and car manufacturers get away with substantially higher charges than their competitors?” he asks. “Because their safety record is better and they factor it in.” Over the next year or two, he predicts that IT security will become a similarly key differentiator.
The issue of trust is of central importance in debates around identity, authentication and federation. While companies have historically relied upon employees to keep their business passwords secret, for example, now many have implemented two and three factor authentication in order to tie each individual to unique tokens and biometric identifiers, so only one person can possibly use them. Federating identities across departments and organisations, however, relies on an enormous amount of trust on the initial authentication, since, if that is flawed, many different systems – both internal and external – are open to violation. Finally, and most emotively, citizens are being asked to trust the state to capture and hold verification of their personal identities and to use that information responsibly through a single, centralised identity database and the use of ID cards.
Two-factor authentication, where users are judged not just on what they know (a password) but what they have (a smartcard or token) has been widely adopted in the financial services industry – normally regarded as one of the most technologically advanced sectors.
For some, that is not enough. Lisa White, from consultancy Deloitte and Touche, bemoans the fact that three-factor authentication (where what users ‘are’, that is their biometric identity, is also used) is not yet in widespread use.
Toby Stevens, the director of the Enterprise Privacy Group, points out that strong authentication technology has been around for years – he got his first secure token some 12 years ago – but the technology has proven too expensive to roll out to the masses. That opens up a part for government to play.
“Government sponsorship [of identity authentication in the form of ID cards] will help,” he says. In Belgium, Stevens observes, every new PC comes with a card reader built-in, thus making the technology for at least two-factor authentication more affordable.
However, there are many instances where users are unconcerned about protecting their identity. The fact remains that people are often willing to provide personal – if not sensitive – information.Whilst it is commonplace for customers to give a supermarket access to buying patterns in return for discount points, there has to be recog-nition that some individuals are uneasy with the notion they are providing a clear track of their shopping habits.
Organisations need to reinforce the individual’s choice to opt out, says Stevens. “The winning companies will be those who are able to accommodate both customers who are happy to be monitored and advised on the next product to buy, and those who want to keep their anonymity if they are, say, gambling or buying pornography,” says Stevens. “It is legitimate in society to be able to vary our profile day-to-day as we see fit.”
What are the key challenges facing security executives? At Enterprise Security 2006, Information Age asked a group of distinguished panellists.
Barry Keegan, head of asset protection and government security with the BT Group
One key challenge for us is the alignment of risk to investment. We spend a fair amount of money on both physical and logical security – both on the hard end and at the intangible end. But I think it is fair to say that we don't truly understand the always changing threat environment, the risk flowing from that, and, importantly, what the appetite for risk is.
BT is currently developing a series of models designed to help our board audit commit to, and the IT audit committee better understand, what we call ‘residual risk’. It accepts that you are not going to have a perfect environment, that you are never going to be able to pay every single insurance premium.
Another key issue is security culture. It is trying to get people to understand that if you, as an employee, are part of the environment you have some obligations. And more increasingly, that applies to people we partner with. For example, 48% of all access tokens I control, somewhere in the region of 200,000, are with non-BT employees. So the culture issue now needs to extend itself to people we do business with.
Michael Harrison, chairman of the government’s Protecting Critical Information Initiative
The total confusion about identity management represents a major challenge for the industry. I'd like to remove the words ‘identity card’ from the lexicon. I think if people would only communicate and understand that we are talking about the need for digital identity and in a digital age.
Until the public and the media in general stops writing rubbish and starts to understand that we need to have a clear digital identity to live and work and operate our lives, then things might get better.
Another key area is the lack of enterprise-wide awareness of the whole information assurance area. Awareness training has to extend throughout the organisation. The awareness of what you have to do in today’s e-age, is nothing like as well understood as it has to be.
Andrew Yeomans, VP of information security at Dresdner Kleinwort Wasserstein
Identity is a key issue. The terminology people are using actually muddies the waters. Most of the things we are talking about is not identity management. There is one particular problem, which is digital credentials. Suppliers provide digital credentials, but say you have a unique system solely from them right across your organisation; when you try to get some application which works with one of these digital credentials to then work with a competitor's credentials, it is very difficult. We don't actually have truly agreed standards for them to work within.
We have got to get the credentials right with the whole security management system or else we are just automating and making easier technology that we don’t want to use, namely passwords. Let's get away from passwords, and find ways to use standardised digital credentials.