This article was published on January 3, 2017

How to balance security and usability with data analytics


How to balance security and usability with data analytics

Technology is a beautiful thing. It can make life more convenient by allowing people to push a button and get something good — a ride home, a vacation rental, or dinner.

It’s also a powerful tool that can improve safety and security in ways not possible before. But as the fears of private information in the hands of others rise, how can we put these fears at ease?  

Here are a few technologies bettering security and how you can keep yourself from becoming a security statistic.

Biometrics

Since Apple introduced incredibly usable biometric authentication with its home button fingerprint sensor in 2013, the appetite for biometrics has expanded rapidly. Now Google’s new Abacus Project plans to monitor your speech patterns, as well as how you walk and type, to confirm that it’s really you on the other end of the smartphone.

Other apps are looking at the uniqueness of vascular patterns in the eyes or even a person’s specific gait to verify identities.

In February 2016, Dutch bank ABN AMRO became one of the first companies in a worldwide pilot by MasterCard to embrace these new technologies. The test brought forth exemplary results. In fact, 95 percent of the fingerprint users and 80 percent of the facial recognition users indicated shopping became more convenient using biometric authentication.

It was also perceived more secure, a win-win for both customer and bank.

Pros: The biggest benefit of using a biometric device for authentication purposes is the ease of use that it offers. Fingerprint scanners are extremely affordable and are fairly easy to use. You can compare the fingerprints among millions of records that can be contained in a computer database. The results can be instantaneous depending on the number of records that you are comparing the fingerprints to.

As such, Biometric technology makes identity fraud less likely. It’s much more difficult to fraud a biometric device than to steal an employee identification card.

Cons: Unlike passwords, biometrics such as face mapping, fingerprints and iris scans can’t be changed when a database gets popped. Worse, data sold to marketers or gobbled up into an authoritarian database isn’t reversible.

Research on biometric tech has amped up, leading to mobile apps that read various unique-to-you body parts to help verify your identity, raising all kinds of security and privacy concerns, and it’s still an open question as to how government and manufacturers are going to address it all.

Since there’s no one size fits all solution, tailoring to specific contexts and situations is highly necessary.

Protect yourself: Current regulations such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA -General Data Protection Regulation) and, last but not least, PSD2 (payment service directive) require security and access controls for customer and employee data – but not necessarily for authentication credentials.

There are three criteria for securing biometric data. First, it should be gathered on a secure device that only passes data to your system, without storing it. Second, like any other authentication credentials, it should be transmitted with encryption and never in clear or plain text. Third, it should be stored and encrypted in a secure directory service, such as AD or LDAP.

Selfie security

Ah, the selfie. Cliche but somewhat effective – if you’re trying to look good on your college ID. But is it really good for security?

While the technology isn’t going to replace the password or pin with selfies, there has been advances and uses for it in recent years.

Aimed towards millennials, MasterCard began testing a new facial recognition authentication system for online payments in 2015, allowing users to scan their faces to approve payments.

Pros: MasterCard wants to, “identify people for who they are, not what they remember,” and biometric authentication offers a lot of advantages over passwords as users can’t forget them, they’re unique, and they are easy to provide.

In the age of five-thousand passwords that must include everything including the kitchen sink, an easy security is better than strong security that nobody uses.

Cons: The fact that today’s smartphones can capture fingerprints, voice and facial images remove the need for costly and cumbersome external readers, but devices used to read or measure a biometric can still produce false negatives and false positives. People leave their fingerprints all over the place, which is the equivalent of the password written on a post-it note, and it’s fairly easy to copy them and create a replica in silicone.

HP got a lot of bad press in 2009 for its cameras’ inability to “see” black faces. Horrifyingly, Google’s facial recognition software in 2015 tagged two African-Americans as gorillas. Google’s Yonatan Zunger reacted appropriately, yet noted in a tweet that “until recently, Google Photos was confusing white faces with dogs and seals. Machine learning is hard.”

Protect yourself: Databases get hacked all the time, from the IRS to Target, hospitals and banks, Until some of the very real security concerns surrounding the use of biometric technologies are better ironed out, you wouldn’t be wrong to worry about linking data about your body parts to online accounts. Because selfies are actually based on facial recognition software, the same rules apply for these as biometrics.

Internet of Things

The Internet of Things (IoT) is revolutionizing our everyday lives. Within the existing internet infrastructure, devices and sensors communicate with each other to perform a designated task.

Pros: From automation to safety, efficiency to convenience, the benefits of IoT are astonishing. And by 2020, the IoT ecosystem will expand to 212 billion connected ‘things’ and expected to be a $8.9 trillion market. It’s no doubt IoT devices will integrate into our daily lives.

Cons: As of now, there is no standard for tagging and monitoring with sensors. A uniform concept like the USB or Bluetooth is required which should not be that difficult to do. And consumers are increasingly drawn to the conveniences and benefits of IoT devices, yet most are unaware of the security risks.

As with any internet-connected device, IoT appliances and gadgets have potential security vulnerabilities. All the data must be encrypted so that data about your financial status or how much milk you consume isn’t common knowledge at the workplace or with your friends.

Protect yourself: Look for software tools designed to protect your personal data and privacy across the Internet. One tool is MyPermissions, which offers free Android and iOS apps as well as a browser toolbar. MyPermissions alerts you when an app gains access to your personal information and will prompt you to revoke or accept the permission.

You should always keep your devices updated with the latest software, as updates may include new security patches. And consider connecting devices through a Virtual Private Network (VPN).

SIEM

Security Information and Event Management (SIEM) is defined as a complex set of technologies brought together to provide a holistic view into a technical infrastructure. SIEMs are designed to collect security log events from numerous hosts within an enterprise and store their relevant data centrally.

Pros: The centrally-located analysis may result in the detection of attacks that were not found through other means, and some SIEM products have the capabilities to attempt to stop attacks they detect – assuming they are still in progress.

Many SIEM products also have the ability to attempt to stop the attacks they detect while the attacks are still in progress. While the SIEM itself doesn’t directly stop an attack, SIEM systems can still prevent attacks from succeeding that might not have even been noticed elsewhere in the enterprise.

Cons: The reality is that traditional SIEM tools are just not able to capture unstructured data from all over an organization that is becoming relevant to enterprise security. This data, which stems from modern security priorities such as web and email priorities, is hard to analyze and make sense of using SIEMs alone.

And as network boundaries are dissolving, companies are opening up their perimeters to partners, suppliers and others, and to staff working from home. Perimeters that were once easy to define and fortify are now vague and transient.

Protect yourself: Your SIEM tools can’t know what’s normal for your network if you don’t. Spend time to understand your network and the typical events that happen.

Also, don’t just turn it on and walk away – configuring SIEM tools isn’t a one-time event. Your configurations must be reviewed frequently to make sure they are suited for your current environment, not the environment as it was when the tool was deployed.

Encrypt or GTFO

Welcome to the free-for-all of biometric technology in the private sector. There’s nothing preventing private entities from selling, trading, or otherwise profiting from an individual’s information.

Unless you call a simple group to develop rules around facial recognition a big win. Let’s be honest here, it’s about as productive as a meeting to plan a meeting to discuss a meeting.

Considering there are companies hell-bent on selling every ounce of user data possible, something drastic needs to happen… and soon.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with