“Hi my name is Mark and I am from EMC. I am here to help protect you from HP?” – Sounds kind of strange doesn’t it? While I am not trying to pick on HP (I really mean that), the recent series of events clearly highlights the ability of individuals to secure confidential information in ways we might not have thought possible.
While everyone is steeped in the boardroom drama – there is a great technology question just not being asked – “Why don’t companies put the right technology in place so this doesn’t happen in the first place?”
For IT to thrive and its general commercial use to continue to grow it is critical that we address the need for security regarding our information. Most information of value to us and our business is private, not public. While there is great value in having access to information, there are also risks. The ultimate success of the Web relies on moving from simply a tool for access to public information to a tool that can also be used for ALL information.
Simply put, we need to build systems that can effectively protect private data while also making appropriate access as painless as possible. To date, I believe we have many technologies that will ultimately not withstand the test. Having a company ask my mother’s maiden name or my birthday does not give me that warm and fuzzy feeling that my data (or my money) is protected since this information itself is just not private.
We are experimenting with things like biometrics but these are also problematic for many applications. I just can’t imagine a retina scanner on my Blackberry. Personally, I believe that 2 factor authentication will play a key role in bridging the gap. The simplicity of two factor authentication is that it incorporates a simple electronic key that cannot be duplicated. It relies on the combination of something you know (a password) with something you have (a key fob) and can be used across almost any medium. Since they “key” is constantly changing, it also cannot be copied or written down. Any key number can only be used once so no key logger can be effective. If you loose the “key,” it can simply be deactivated and is useless.
I expect that recent events, while unfortunate, will provide the impetus for change that will ultimately help us provide greater access to information while, at the same time, putting in place the needed levels of information security.
And, if there were any doubts as to why we acquired RSA, this helped to show us all why Identity and Access Management (IAM) is going to be a critical technology for any company’s information management and protection strategy.
As for pretexting, I even find even the word itself interesting. I said I was going to talk about the technology side and I am clearly no lawyer but - in terms of right or wrong – I am going to say wrong. Pretexting. It sounds so innocuous; we need to call it what it is – identity fraud. If my kids “pretext” me they get punished just the same as they would for lying.