Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Identity Theft
Identity Theft

Data Security Breach Puts Twitter In The News Again

Twitter is in the news again - this time their internal documents stored on Google Apps that were hacked.

Questions about cloud security and the feasibility of storing critical information in Web-based services are being raised in the wake of a hacking incident involving Twitter and Google Apps.  

Twitter management was swift to jump into action with internal policy changes. With the popularity of Twitter on the uptick, security practices, policies, and procedures must be front of mind for the management team.

Companies such as Twitter, Google, and Facebook are immensely popular, with membership in the tens millions. Strong passwords are simply no longer adequate to secure data and identity. I am sure these companies are concerned and challenged with how to best contain this increasing menace. However, it would be cost prohibitive for these companies, whose business model is based on free use adoption, to start sending out tokens or force each member to install digital certificates in their browsers for second factor authentication. In addition, even if they were willing to set up token-based second factor authentication for members willing to pay a premium to protect online accounts, they would be confronted with significant integration, distribution and ongoing management challenges that would constantly impose a burden upon organizational resources.

Another primary concern is user convenience. Clearly these social media sites would not be enjoying the same level of popularity if members were subject to cumbersome processes to secure online access. Therefore, balancing the need for strong authentication with user convenience is of utmost importance for these companies as well. But this seemingly insurmountable challenge is not without a solution. Delfigo Security's business model and product architecture is predicated on addressing these very challenges - it provides implicit multifactor authentication without inconveniencing end users. There is no need for end users to change their current use patterns to have the assurance their account and profile information is secure on these sites. And our DSGateway platform is easily deployed, configured, and managed. It is a true zero footprint solution and requires no client downloads or tokens.

I agree with analyst Dan Blum of the Burton Group when he said, "I wouldn't store sensitive documents in a cloud-based service unless I had a lot of confidence in the specific service," Blum says. "I'd hold them to the same standards that you hold for your own internal applications. If you expect your internal applications to be accessed only through two-factor authentication then the cloud should be at least as secure as that."

Any regular user of these social media sites should be concerned as well. Delfigo would like to make Twitter and other social media companies an offer. We will provide our strong authentication solution free of per user (member) fees for up to one year . If you want to assure that your information is safe you should hope they take us up on this offer."

Bharat Nair is Vice President of Business Development at Delfigo Security, This e-mail address is being protected from spambots. You need JavaScript enabled to view it , Boston, MA. He can be reached at http://www.delfigosecurity.com or by phone at 1.617.248.6501. You can now follow Delfigo Security news and articles on twitter (@delfigo).


 

Virginia's Prescription Monitoring Database Hacked

Over the weekend, MarketWatch reported hackers broke into the State of Virginia's Prescription Monitoring Program (PMP) database and are demanding a $10 million ransom. The nature of this crime is mind-boggling but not a surprise considering the increasing trend in identity theft. It should serve as an eye-opener to ensure adequate authentication and authorization policies are put in place, especially when databases with large volumes of individual data is managed for state wide use.

The Virginia database is intended for state wide doctors and pharmacies to track, and reduce the abuse and illegal sale of painkillers. It is not clear from the article how the hackers accessed the patient records, but it is obvious that a database of this nature should have a strong authentication solution. However, there are many inherent challenges with the distribution and management of hardware based second factor authentication solutions, chief among them integration and cost. It may be that it is just not plausible for the State to implement a second factor solution, such as "distribute" token based second factor authentication for use by the thousands of potential end users needing access.

Forrester Research's recent report on the State of Enterprise IT confirms that cost and complexity are the top barriers to Identity and Access Management. Delfigo Security has made it a point to address these challenges. Our business model focuses on lowering total cost of ownership, and our technology architecture concentrates on eliminating the hassles of integration, distribution and management.

I agree with Gov. Kaine, "it is difficult to foil every criminal that may want to do something against you". There is a need for manageable, cost effective solutions to prevent these types of brazen criminal acts from becoming regular occurrences.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501.


 

Smart Computing Must Include Smart Security

Andrew Bartels, Vice President and Principal Analyst at Forrester Research recently made a presentation on the 2009/2010 IT spending outlook. He coined the term "Smart Computing" as the new name for the next generation of technology. He defined Smart Computing as one that is:  

  1. Flexible, adaptable, responsive
  2. Awareness (location, status, condition) and analytics for IT intelligence
  3. Focuses on new business problems

Andrew's list of smart computing included, Smart Phones, Smart Utility Grids, Smart Roads, Smart Water Systems, to name a few. But what was missing in my opinion and I am taking the liberty to coin first, is a new term to include in Andy's list - "Smart Security". Smart applications that will fuel the next generation of technology must incorporate "Smart Security". I define Smart Security as a technology that co-relates device(s), user, and data to create a contextual framework for rendering smart solutions.

The key difference is to not just rely on user ID and password to define a "user". Smart security will leverage cognitive capabilities of a user (such as keystroke biometrics, reflective thinking, and behavioral aspects) and enable applications to dynamically authorize users and render content in a risk-assesed manner. Smart Security will ensure "Smart Applications" do not open itself to "smart crooks" in the cyberspace.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501


 

Identity Thefts Continue To Rise

The Identity Theft Resource Center released its ITRC 2008 Breach List showing that the number of identity thefts jumped from 446 in 2007 to 656 in 2008, an increase of 47%.

The main sources of those breaches?

 20082007
Insider Theft (stolen by someone inside company)16.50%6.00%
Data on the Move (laptop, thumb drive, PDA, etc.)
20.30%9.70%
Subcontractor (stolen or lost by second party)20.30%
27.80%
Hacking (stolen by someone outside of company)
13.40%14.10%
Accidental Exposure (inadvertent Internet/Web posting)
14.10%20.20%

Source: Identity Theft Center

The number of course only includes those that were publicly reported. Many organizations still keep these incidents from the public.



 


Page 3 of 3