The information security market is struggling. There is no single viable solution to the increasing number and scale of data breaches. Regardless of the security systems or policies in place or how they are deployed serious data breaches and systemic security failures are happening across the full spectrum -- from the negligent and careless to the most careful and policy compliant.
What this tells us is that there is something systemic and fundamentally wrong with our general approach to information system security.
Underlying all of this is our reliance on personal identity information. Even as we all recognize that identity theft has been the fastest growing crime for over a decade. There is likely not an identity anywhere that has not been stolen. Personal identity information may be the least reliable information we have, but we have made it the bedrock of our security paradigm.
Attached to the potentially corrupt and unreliable identity information are various secrets that are the locks and keys in the system security fortress. We all recognize – and have it thrust upon us almost daily – that no one can protect or kept the secrets – whether national security information, account numbers, user names and passwords, or emails, or Facebook postings.
We have built our system security on corrupt information and technology – all applied to building a strong fortress with strong walls.
However, the mode of attack is less and less likely to be a system hack aimed at the technology. Instead it is more likely to be a social engineering attack aimed not at the system itself, but at the users of the system.
We have to find a different way to look at security. We need to accept that we can’t keep secrets and that personal identity information is not only unreliable, but all of it is in the hands of the attackers. We must admit that the paradigm of building strong walls is long obsolete and that information flows freely regardless of the artificial constraints we try to impose on it.
The problem we seem afraid to face but must address is that we have given the attackers every tool they need to successfully penetrate our information systems.
In my estimation, you must assume that a credential or password will be compromised. It’s inevitable. So, the solution I have been working on is to make the credential ephemeral and transitory. Even if stolen it will become obsolete and useless before an attacker can use it to gain access to the target system.
Until the security market realizes that their foundation is not on solid ground, users will continue to rely on credentials that can be stolen and used to do harm.
John Ellingson is the Co-Founder of InfOsci.