Who's in your Electronic Wallet?
Originally, identity and access management (IAM) started out requiring username and password for authentication and authorization. As the technology footprint began to expand providing users with continuous access through remote connectivity via laptops, hand-held devices, and now the Internet of Things (IoT); this simple combination had to evolve into more complex techniques and technologies to ensure proper validation of the user. Complex algorithms using multi-factor authentication (MFA), biometrics (fingerprints, retina scan), vocal patterns, and facial recognition have and are being developed and used. However, many people continue to ignore the risks and liabilities of not protecting their identities. Companies trade off on security and confidentiality for the convenience and ease of use of non-invasive immediate access. For the ‘convenience’ of their employee’s many organizations institute bring your own device (BYOD) policies that allow personnel to access corporate email and networks utilizing their personal devices, which now combines both personal and corporate information. Breaching these devices puts both the end user and company at risk. Today, you can unlock a mobile phone by simply placing your thumbprint on the ‘home button’ or unlock a laptop or tablet with your face, granting access to all the devices’ contents. Both access methods are easily ‘fooled’ putting all of the information and data on these devices at risk. On your next visit to a restaurant, see if you can determine if the mobile device that has been given to a toddler to ‘amuse them’ is a personal or corporate device. Can you guess how that device was activated and do you suppose any restrictions are limiting what the toddler can access?
Today, ‘smart devices’ have invaded our homes, including TVs, appliances, thermostats, security cameras, digital assistants (i.e., Alexa, Google, Echo, etc.), sound systems and more. People connect all of these devices to their home wireless networks that desktop systems, printers, laptops, tablets, mobile phones, and IP phones are using. By doing this, they increase their exposure to identity theft and the compromising of information (i.e., photos, videos, contact lists, shopping patterns, conversations, health information, etc.) on these devices. To make matters worse, the vast majority of homes where these devices have been installed, the default passwords/passcodes from the manufacturer have not been changed by the homeowner.
The value of the information stored, processed, and transmitted by the technology should be the driving factor in how users are authenticated and authorized for use
Intelligent vending machines are cropping up in employee breakrooms and public areas across the globe. These machines not only accept good old fashion cash but also accept payment from electronic wallets on mobile phones and credit cards, which require the machines to be connected to the internet through either wired or wireless networking. How are these devices being secured, or are they? Have they been placed on a segmented network or just added to the corporate backbone or hot spot as another device? What information are they providing back to the distribution center other than their inventory and who else might they be providing information too?
Now, what has all of this got to do with IAM? In my opinion, everything! We have become a society of on-demand and convenience. We shop online and have purchases delivered to our front doors; we expect our house to be at the perfect temperature before we return from work; we rely on our appliances to tell us we need more eggs and milk and that we need to set the dishes to wash. As a society, we focus more on the ease of access than the protection and securing of our identities and information. The weakest link in the security chain is the end user. By not being vigilant in protecting our identifies and data in the use of technologies, we are exposing ourselves to fraud, theft, misuse, and misrepresentation. Convenience cannot be the primary requirement for accessing technology. The value of the information stored, processed, and transmitted by the technology should be the driving factor in how users are authenticated and authorized for use. It’s true for both corporate and personal devices. If you are storing credit card, frequent flyer, access codes, personal information on your devices, you need to take appropriate measures to secure it. Ask yourself this question, “If my device is compromised, what are my potential impacts and liabilities?” Then look at how you are securing and protecting the information on those devices and see if you are comfortable with the access measures in place.
IAM alone will not secure the data on your devices, whether personal or corporate. IAM should be combined with additional security measures to obscure sensitive information. Incorporate MFA, requiring you to have something and know something. The ‘have something’ is your finger and the ‘know something’ is the passcode or passphrase (i.e., on your mobile phone, use the biometric feature on the home button in combination with a passcode or passphrase). Also, it never hurts to consider encrypting the hard drive of your mobile computing devices in conjunction with your access method.
Remember, your devices and data are only as secure as you make them.