‘Key To The Kingdom’: A Look At Decentralized Authentication
In the last 2017 episode of “Task Force 7 Radio,” information security executive and show host George Rettas tackled the Kaspersky Labs controversy and broke down the issue of decentralized authentication with HYPR Corp. CEO George Avetisov.
Rettas’ opening segment ventured into the realm of intelligence gathering and the reportedly close relationship between the FSB, Russia’s powerful security service, and Kaspersky, a solution provider.
Rettas said that the black cloud above Kaspersky is only thickening, as the company has had difficulty defusing the suspected controversy pinning it intimately close to the FSB – as it investigated a Russian cyber-criminal.
In citing the Washington Post, Rettas explained that Russian cyber-criminal Konstantin Kozlovskiy, arrested in summer of 2016 for heists on Russian banks, posted documents related to his case to social media.
Documents reportedly suggest that a FSB agent worked inside a Kaspersky Lab to decrypt and gather information. The alleged close cooperation comes at a time when Kaspersky products have been banned within certain governments – as they’re viewed in some circles as a platform for Russian spying.
Rettas said it’s “all a moot point” because all the data gets funneled through the nation’s system for lawful interception. The nation reportedly operates off a specification initiated in 1995 to access surveillance data.
Authentication ‘Paradigm Shifts’
Rettas then broached the topic of authentication with Avetisov, who is responsible for the overall strategy, products, sales and culture of HYPR Corp., whose focus lies in decentralized authentication and eliminating the need to centrally store credentials.
Avetisov said that centralized authentication presents a single weak spot or point of failure, which is easier for hackers to target. He called it “high-risk” and “high-cost” for the enterprise. Meanwhile, Avetisov said decentralized authentication helps eliminate fraud and reduce the breach risk.
He said the push for decentralization is an enterprise response to the consumer being more aware about security and privacy.
“Just a few years ago, you wouldn’t have had an average person asking a bank about two-factor authentication,” Avetisov said. “I think that’s a new paradigm, and it’s very interesting to watch.”
See Related: CISOs Must Be 'Bilingual': Speak IT & Business
A part of the larger paradigm shift is a focus in Internet of Things (IoT) technology, Avetisov said. “(It’s) really at the forefront of security leaders’ minds.”
“The omni-channel experience in an enterprise (can be summed up as): the consumers, the employees and IoT,” the CEO said. “The reason we look at IoT as a key segment…is there are IoT systems coming online for consumers and within the enterprise…that were not around just five years ago.”
Avetisov also said that the security platform will have to evolve – as there still remains a large gap between the posture of large enterprises – financial, healthcare, etc. – and companies in startup mode who are building tomorrow’s products but don’t yet have security embedded in its “DNA.”
On the viability of blockchain technology to solve enterprise security needs, Avetisov said it’s still “a solution looking for a problem.” The CEO said there haven’t been too many use cases for blockchain technology yet. Still, he said the digital identity can benefit from blockchain – by putting personally identifiable information (PII) in an encrypted environment.
Using Equifax as an example of a centralized data breach, Avetisov said, “Our vision of the future is getting PII, the digital identity and components of PII decentralized and off servers (of companies like Equifax). We have a long way to go to get there, but it’s a possible reality.”
In order to decentralize data, biometrics, pins and passwords could be called upon to layer security. Also, the end user stores the data on his or her device. The credentials, Avetisov said, go back to the users. This opposes the concept of a data repository – an appealing target for cyber criminals.
Instead, in a decentralized environment, you would push your data up to the third party when you need to (credit checks, mortgage applications, etc.). Avetisov endorsed a “push-based mechanism” versus the “pull.”
The CEO also said the password itself is evolving. Despite the decade-long belief that the password is dying, Avetisov said it’s still a “fundamental form of authentication” that will be just one part of the equation, layered atop forms of authentication. He said, however, the password cannot be the “key to the kingdom.”
Even with decentralization, will there be more targeted attacks on devices? Yes, Avetisov predicted, and it could be the result of manufacturer weaknesses. “But, that’s why enterprises are starting to layer controls on the device itself,” he added.
If a manufacturer flaw is exposed in a decentralized environment, “you can simply shut off those credentials, have the user re-register and no longer worry about the attack,” Avetisov said.
The “Task Force 7” Radio recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes of "Task Force 7" Radio, click here.