Tag Archives: BYOD

Passwords are Dead, Part II 2nd False Premise – a collaborative research effort, being presented at RSA 2013

The advent of user created, managed and handled passwords as the sole means of authenticating is coming to an end. The utility of these was defined in an era based on assumptions of brute force capability, system computing power and pro-active security teams.   – After much debate and analysis … there is the thesis

Screen Shot 2013-02-12 at 9.58.14 AM

This is Part II of the topic being explored and discussed at my Wednesday session at the RSA Conference in San Francisco (2013).  To see the first thesis and False Premise 1, please see the original post.  Jumping right in – looking forward to more feedback (thanks for a generous emails, but don’t be shy at the comment field below)!

————————————————————————

FALSE PREMISE TWO: Password strength should transcend devices – mobile, tablets (iPad, surface) [Updated 2/12/2013]

MOBILE devices:
What is the intent of the password? To stop high CPU encryption cracking systems .. or prevent inadvertent strangers from accessing the data?  Today we wrap in mobile (BYOD type if that suits you) systems into the corporate password requirement sphere, and in some cases are being more creative than other platforms.

For instance, it is recommended on a popular Apple iOS device site to use “accent characters for creating a super strong password“. Agreed these are more difficult to guess, but is that the threat we are seeking to mitigate?  In the space of X character spaces how creative must we get?

What are the risks to these mobile devices:

  • Theft
  • Data leakage violating regulatory, contractual, or privacy expectations of customers

If we consider the two threats – Theft is not mitigated by the password, as the device will simply be wiped.

[Updated 2/09/13] Data leakage is only possible if the device is ON and the password guessed before it locks itself permanently.  A feature readily available and easily implemented by the end-user, even more robust with corporate implementation technologies.

  • So in this case, the password only needs to not be one of the top 10 most common phone passwords.  At that point the device locks and can self wipe.
  • Another scenario is that the password was gleaned through recording / shoulder surfing / or simply left unlocked.  Each case the password strength was not an issue.  Other situations?

As we move into an ever mobile, data everywhere, and always connected scenario an interesting ecosystem of access & authentication appears, that requires continued serious challenge against the assumptions of our security and assurance programs.

Diving in …

Data is mobile – what role does a single password play in accessing sensitive data? Data stored on device (Cloud storage we can address on the integration point below) is at risk to a number of threats:

  • The device can be attacked directly (similar to any other computing device with IP addresses and Ports) wirelessly, but typically requires physical proximity (simplest) which is reserved for either random or very targeted attackers.
  • The device can be stolen, and if no OS passwords, than the Data itself is attacked/accessed directly. An unlocked device introduces risk mitigation techniques that are harder, so password is EASIEST. A password on the data within an application is a worthless without some form of self-destruct functionality similar to that of the OS level safeguards.

>> Why are passwords WORTHLESS at the application level in this situation?

>>> If the attacker is ON the device (physically or remotely) and our Use Case is an encrypted database – the attacker can copy that encrypted database to their system for local attacking (easy and zero user awareness), or they can access the database locally via brute force until they get in.

The data is at risk regardless without some form of self-destruct and tremendous levels of assurance related to the encryption of the data(base) itself.

  • Other thoughts here?
  • What is missing?

Passwords plays a significant role at certain tollgates upon the data (when stored on the device), and less the more “access” the attacker gets to the underlying system. A common refrain of attackers is – with “physical” access I can break into anything. We must today deal with ALL ACCESS is PHYSICAL when the data is mobile.

Plethora of devices – Today data is accessed from many devices, some owned by corporations, by end-users, or nobody – kiosks. Single passwords entered into systems allowing single thread authentication where NO assurance is understood of the underlying system and no situational awareness of the User presence seeking authentication results in failed security.

  • The reuse of passwords across devices threatens the confidentiality of the password itself (as much as that matters).
  • The multitude of devices increases the need to redefine what is “access” and the functions of authorization (I used “functions” instead of “rules” intentionally to draw attention on the necessity for a broader approach to solving this constraint)

Integration with third party service providers – [to be expanded…]

—————————-

Conclusion – a preview:

  1. Stationarity, is defined as a quality of a process in which the statistical parameters (mean and standard deviation) of the process do not change with time.” – Challis and Kitney November 1991
  2. Offline Data level authentication – Offline in an ‘always connected’ world

[Disclaimer: First off this is my research and not anyone else’s. Second, the examples above are meant to illustrate technical realities in a reasonably understood presentation. Lets focus on the problem .. identify weaknesses in the argument; and introduce the mitigation so greatly required in our online world.

I share and seek these answers for the preservation and enhancement for our way of life… as simple as that and I appreciate you being a part of my journey]

Always seek, everything…

James DeLuccia

Twitter: @jdeluccia

Implications of BYOD .. cultural implications & Chief Executive considerations

BYOD ..

What is it?  Commonly referred to as Bring Your Own Device, it refers to the unstoppable trend of end-users within enterprises utilizing consumer devices in the word place.  This is a simplification, but captures the essence of how board of directors are using iPads, and how Facebook became a permitted service inside organizations.  (the Facebook example is a poor one, as that is an Application .. but that will be raised in a future discussion).

The challenge to enterprises is how to enable these end-users with these technologies?  How to gain efficiencies and advantage?  How to allow end-users to be happy with their ability to self select their devices.  As ultimately, the end-users within corporations are quite happy with their iPhones and such devices .. it is only the need of corporate IT to streamline the integration.

Here is where things become interesting …

BYOD in most regions of the world refers to “Bring” your own device, while in certain regions it refers to “Buy” your own device.  Ownership of the device is quite important legally, upon how someone uses that device, and what controls are generally accepted.

In the United States for instance – end-users Bring and Buy their own devices, generally.  This means that Corporate IT must wrestle with ownership, MDM, and a diverse device / OS ecosystem.  Such challenges center on the ability to fully wipe a device in case of a policy violation.  The capability to fully monitor and restrict via policy the permitted applications.  In addition simply utilizing the full breadth of technology on the device – i.e., conjoining GPS proximity technology with multifactor authentication to increase the confidence of user credentials when within corporate offices (a general uneasy concept with personal devices, but something magically simple when the whole device is owned and part of the operations and security ecosystem).

In other regions, such as in Europe, the devices are purchased by the business and provided to the end-users.

So is it really “BYOD” or not, for intents and purposes the end-user drive; the customization applied to these devices; the personalization, and such are all identical to that of the U.S. BYOD.  The difference is in HOW the user interfaces with the device and WHAT can be done to safeguard the device.

  • How is your organization managing these cross cultural perspectives?
  • How have you considered the cost and operational expenses of each BYOD?
  • What are the implications for security, compliance, and long term competitiveness (as it is ultimately being competitive that ensures that security and compliance will continue to matter)

Business operations, electing and incorporating mobile / BYOD technology is obviously a decision that has been made by most organizations.  Either by the rebelling user base, or through sanctioned programs.  The next field of play is to focus on the cultural aspects and embrace a forward looking vision at the emerging legislation related to such protections & expectations of consumers.

Culture eats strategy for lunch … so BYOD, please meet Culture.

Best,

James DeLuccia IV