IT security professionals are engaged in a game of cat and mouse with hackers. As fast as they deploy security countermeasures, these rogue elements discover loopholes or entirely new avenues of attack. Traditional security methods have relied upon closely guarding the perimeter of a company's network. The continuously escalating and mutating threat environment has led many firms to layer security countermeasures one upon another; starting with firewalls, companies have added intrusion detection and prevention systems, malware filters, client-side firewalls, and encrypted network tunnels. Networked business can create a virtual fortress around its infrastructure but still must share information with mobile employees, external business partners, and remote customers. This fortress is not providing business with the adequate level of security and stopping from hackers preying for sensitive data.
Cisco published a report, summarizing the status of IT security worldwide and determined a quantitative index describing this status. According to this report "Enterprise Networks are experiencing persistent infection. Consumer Systems are infected at levels capable of producing consistent and alarming levels of service abuse. " More money is now being made from cyber-crime than the billions that come from drug trafficking. Last year there were more online bank robberies than there were actual on-site bank robberies. Many consumers suffered ID theft. Large Percentage of consumers who experienced this issue decided to refrain from using the Internet, causing much concern to banks and other institutions. Organized crime funds these activities and makes huge profit. In US Senate hearing the figure of $1 trillion dollars was mentioned as the result of cyber data theft. Extensive cyber crime network exists with a clear division of labor. RSA coined this network name: FRAUD AS A SERVICE. The ultimate goal of this network is one: to steal sensitive data.
Where does this lead? Howard Schmidt, an adviser to Pres. Obama, predicts the perfect storm caused by a combination of several factors simultaneously.
One can argue that some of factors mentioned here can be dealt with, but we must realize that by rapidly expanding our application platforms we ourselves are causing weakening of IT security. There is inevitable trend that will cause the situation to worsen in the future. This is increasing complexity of IT systems. More complex our systems and networks become- more points of vulnerabilities and security failures will occur: the number of security bugs goes up, increased modularity means increased security flaws, because security often fails where two modules interact , more complex the system is, the harder a security evaluation becomes, harder it is to understand and analyze. IT security teams must continue their Sisyphean effort just to stay up and protect perimeter from being overrun by our adversaries.
So we need to realize that in the future we can not completely prevent penetration of computerized systems and be prepared to cope with this situation. We must admit that we cannot really keep the bad guys out.
Dealing with the failure to keep the bad guys out.If we cannot keep them out of our perimeter - we still must protect the data that is valuable and sensitive. This protection must be scalable and adequate for data sensitivity: more sensitive data - stronger protection becomes. This is the time to mention that data-centric security inevitable introduces some burden on data users. Therefore it must be applied in conjunction with data value. Most of the data we use today is insensitive and may be left intact. Of course what is sensitive and what is not is decided by data owners. There are two main types of potentially sensitive data: transaction data and un-structured data. Sensitive Transaction data include something that may be monetized immediately and therefore it must be protected in real time, as well in transit and storage. Un-structured data cannot be monetized immediately and therefore it must be protected in transit and storage only.
Transaction data protection.Let's start with transactions: Gartner analysts published in December 2009 that all existing means of strong authentication are inadequate to protect transaction integrity for simple reason that Trojan horse malware resident on our infected PCs circumvent these means. Nearly 50% of PCs worldwide are infected with some sort of malware. The vulnerability exploited is called Man in the Browser. Man-in-the-Browser, is a trojan that infects a web browser and has the ability to modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities is virtually undetectable to virus scanning software.In an example exchange between user and host, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Therefore US regulators and FBI recommend that all financial activities will be performed only from dedicated computers. Obviously this is a short-term solution. It has been demonstrated that Out-of-band transaction confirmation , such SMS sent over mobile phone , merely adds complexity to the process and is still vulnerable to targeted attack .The need exists for malware-resilient solution to the problem.
Our solution is a 2-stage process including signing of web form by user and signed form authorization by the service provider. No transaction will be authorized without both stages fully completed. In order to use our Software-as-a-Service end-user must download our client software, register his PC and enroll his Biometrics VoicePrint, the whole process takes less then a minute. Signing software includes data verification module that ensures that What you See is What you Sign, Strong Authentication module that ensures the identity of the person signing transaction and Advanced Electronic Signature module that ensures transaction integrity in transit and at rest.
The following flow highlights the signing process for medium-sensitivity transaction. End-user signs web-form for third-party money transfer. Our software prompts end-user to confirm transaction integrity and verify the data. Finally end-user is prompted to enter his 4 digit PIN. It takes about 15 sec of end-user time to sign filled web-form. Meduim-sensitivity transaction is signed using 2-factor strong authentication, including proprietary PC ID (something you have) and PIN (something you know). Higher-sensitivity transactions may be signed using 3-factor strong authentication by adding Live Voice Biometrics (something you are)..
Signed web-form includes 2 parts: end-user attributes and transaction details. It complies with the definition of Advanced Electronic Signature. Both end-user and service provider will keep the same signed web-form for future audit. Service provider may access this signed web-form through our API. This solution is malware-resilient, does not require any dedicated hardware and does not add complexity to the business flow. This solution is generic and is applicable to Banking transfers, E-commerce purchases, Insurance claims, Healthcare prescriptions, E-Gov voting.
Let's discuss un-structured data protection. In most organizations, 70-90% of business data is in an unstructured or semi-structured state and recent research indicates that only 23% of organizations feel this data is properly protected. Unstructured data includes files of any kind such as office documents, images, videos and so forth, not to mention the billions of emails and instant messages generated every day. Much of this is sensitive data, such as personally identifiable information (PII) and intellectual property (IP) that must be protected with appropriate measures. Another challenge of unstructured data is that the data must support multiple distribution needs.
Un-structured data protection.Un-structured data files protection needs to be independent of infrastructure and needs to be applicable across the board from Enterprise servers to laptops to USB drives to email to cloud storage. Our Software-as-a-service solution for sensitive data file protection is based upon binding of granular authorization for data rights management, strong authentication and crypto technology.
For example we may take any file , encrypt it with seal to be opened only by specified recipient or group members , for example medical expert providing second opinion. This encrypted file may be sent by email or stored on the Cloud. The level of recipient Strong Authentication (2 or 3 factor) is dependent on sensitivity of the file. In this example data owner have chosen 3-tier authentication for the file recipient.
We see that creating encrypted file, includes the steps of:
Choosing file for encryption,
Defining digital rights management rule
Defining file sensitivity (medium or high).
and takes ~15 sec of user's time.
Deleting decrypted file after encryption will take another ~5 sec of user's time.
Recipient belonging to the group may decrypt this file in 3 easy steps: click, authenticate (in this case 3 factor authentication, including Live Voice Biometrics is preset) and view. After viewing - the decrypted file must be erased. This adds some 20 sec to the current flow. If file was preset to medium sensitivity, requiring only 2 factor authentication from the recipient - addition to the current flow would be only 5 sec.
The resulting data-centric security is applicable to any type of files and any type of enterprise infrastructure. Using encryption is nothing new of course. But our solution does not weaken the encryption by using a weak password, it is applicable across domains and all types of files and is scalable depending on data sensitivity, to ease a burden on end user. Data access audit trail is required in order to comply with many regulations.
Summary .I would like to summarize my post with following: Many people believe that adding more complexity to IT security will not provide significant benefits to the customers. Data-centric security is about binding of security perimeter with sensitive data, irrespective of its origin or its destination. All it matters is the level of sensitivity of the data as determined by data owners. The level of the burden imposed on the end-user is proportional to the data sensitivity and is in range of 5 to 15 sec per sensitive data operation. The level of integration required by our Software as a Service solution is minimal and do not impose additional burden on IT Security professionals, keeping their day-to-day fight to protect Company perimeters from their adversaries.