IP Expo has just concluded and the one thought that echoed around the cyber security discussions, talks and interviews was that the password is on its last legs. So, when TEISS sat down to interview Rohit Ghai, President RSA, it was obvious that we would start off by asking him about it...
Teiss: We are hearing that the password is dead...
Ghai: News of the death of the password is music to our ears...
If you think about cybersecurity, it is a people, process and technology problem and we've had the tech to kill the password for 3 decades, but they live on because they form a part of the process and user acceptance. We are at a tipping point now because we live in a world where 65 percent of the breaches can be mapped back to some kind of an identity compromise.
It is about time the password died. You need multi-factor solutions to make that happen so the death of the password would be great for the industry and for the cause of security.
READ MORE: The great Deloitte dumpster fire...
Teiss: But 2FA isn't that great either?
Ghai: The right way to think about 2FA or multi-factor is that in the modern digital world, what users expect is security and convenience. Not security or convenience. What does that mean for us? Well, it means what we have to do is look at the risk of the transaction, look at the risk of what the user is trying to do and either dial up or down the level of friction on security so that you are not imposing any more on them more than you need to.
So if it is a lunch menu, then no MFA, 2FA or passwords but if it is financial data in your SAP systems then maybe some level of authentication should be in place.
Risk-based identity assurance rather than authentication with 2FA, biometrics etc is required. 2FA, MFA, biometrics are just simply mechanisms to ensure you are who you say you are. But they don't ask unless you really need to ask for that.
Teiss: And when do you REALLY need to ask for that? You talk about lunch menu and financial info but when is it really important to ask for identity?
Ghai: The best way to prove who you are is to be yourself. This means that you have a variety of factors that can assure a system that you are who you say you are. Whether it is because you are in possession of a mobile phone that acts as a registration for you, whether you have entered a building using your physical badge access- these are all factors that you can apply when you need to.
Asking for authentication should be based on the risk of the transaction. So if you are in the same office building that you always come into and swiped your badge as you always do, there is a very good likelihood that you are who you say you are. For moderate levels of transactions thats fine. But as soon as you get into corporate, financial data then maybe you need to dial up the level of assurance.
We can squeeze out the user friction by using a risk engine in conjunction with all the authentication mechanisms.
Teiss: When you say multi-factor, whats the idea mix?
Ghai: The ideal security scenario should look at answering three basic questions: who you are, what you have and what you know. Every measurable trait that defines who you are can be used, so biometrics including retina, the way you type as well as the way you walk.
What you have: tokens, mobile phone, PC anything you can use to prove your identity
What you know: This is the element that we want to kill- passwords, pass phrases.
These three factors that make up multi-factor.
Teiss: Tokens have been in use at financial organisations for a long time and yet giant breaches like Deloitte and Equifax still happen. Why is it not helping, what's the mis-step and what is it that people aren't seeing?
Ghai: I think there is a spectrum of reasons. The most straightforward one is that tokens or multi-factor authentication are deployed today in very limited cases. So, there is a whole spectrum of users in the typical corporate setup who are not protected and are still using 'apparently dead' passwords and lots of use cases aren't protected. VPN is a great use case. Lots of people use it to get into the network from outside the firewall. If when inside the firewall, you are not using multi factor then it is a risky situation. We know a huge number of insider breaches happen and a lot of times you have to assume the bad guys are inside your corporation. So why would you use multi-factor for only a certain set of users and not the others. So we think multi-factor authentication and identity assurance are as applicable to a much broader user population for them to be factors.
Teiss: Is there a case for tokens and multi-factor to be rolled out to the general consumer as well?
Ghai: It is already in play in financial institutions so there is legitimacy for their use, especially in certain verticals like healthcare, financials and anywhere else where access to data is highly sensitive and is a valuable transaction. E-commerce vendors and even public sector organisations who deal with citizen data and have records that you want to secure.
These are great use cases, but they have to be done in the right way so as to not impose friction because in the modern digital world, there are more millennial than less millennial and the tolerance for friction is declining. You want to help the cause of security without the friction. It isn't about throwing tokens and multi-factor in the path but also make it risk-centric. So you throw in multi-factor based on the risk of the transaction. So if you are doing a wire transfer, it is valid to ask for a tokens bit if it is to only read your transactions, then you don't.
You don't want to risk convenience.
READ MORE: Top five biggest cyber-attacks in the UK
Teiss: Millennial don't care about security? How do you teach a generation to care?
Ghai: It is as much a responsibility of corporations as it is of that of the individual consumer. Banks have to make sure their millennial are protected- so do it in a way without much friction. Use authentication mechanisms that they are more used to, like facial recognition the is more intuitive to them because of the likes of Snapchat.
Teiss: With cyber security, the biggest risk has always been the human and that problem isn't going away despite the amount of money being chucked at it. Is there a change in focus that needs to come about for it to succeed?
Ghai: I totally agree and believe that doing the same thing and expecting a different outcome is the definition of insanity. Bad guys have the same tech as the good guys and what is needed is applying business context to the problem. We know more than the bad guys what's actually more important to our business. Applying business-driven security posture and prioritising your security posture will help in dealing with the bad guys. Just throwing new technology will not do so.
Education is a critical component because humans are the weakest link. Smarter humans with right education is key but there is a consumption inertia within businesses. Vendor obligation is there so they have to make friction-less technology as well as education solutions in place to elevate right cyber hygiene behaviour.
Teiss: And finally, what would you say are the top 3 things that the industry will move towards in the next three years?
Ghai: Risk-based identity assurance strategy, death of the password and business-driven security. These three will be based on what matters most, otherwise it can become an overwhelming problem. Solutions that only address part of the problem are like instances where you put a big padlock on your front door while your backdoor is open.
End to end visible security solutions need to be rolled out immediately.