29.09.2011 by Martin Kuppinger
Trust is a fundamental concept of today’s IT. Security is based on trust.
We have (or better: had, after DigiNotar?) trust that a web server which has a valid SSL certificate is the server it claims to be.
We had trust that RSA SecurID tokens are secure (whích they still are to some degree, but a lower than before).
We have trust that our authentication in the Active Directory is done in a secure way.
We trust the identity provider when using identity federation.
However, especially the first two examples raise the question whether the concept of trust still is a foundation to build on. On the other hand: Are there any alternatives?
I think we will further need to build on trust as a concept. There is no real alternative. However, we need to be much more careful regarding this concept and add to other approaches:
Mistrust means that we shouldn’t take things for granted. We might challenge “facts” – e.g. authentication decisions and so on. In fact, mistrust is not really new. We might check the URLs behind links which are suspicious – are they really pointing to eBay, PayPal or whomever they claim to do? We add additional tiers of authentication or stronger authentication mechanisms for sensitive interactions and transactions. But in the light of what happens these days, with more cyber-attacks and even the well-secured, experienced ones like RSA becoming victims of successful attacks, mistrust becomes more important.
That is related to the concept of risk. Risk relates to
- interactions and transactions performed and the information assets affected
- the level of mistrust and the “objective”, factual security risks
This relation is fundamental. We need to understand what could happen to our information assets (and the real assets behind them). And we need to understand how much mistrust we need. Based on that we can define what we need beyond the trust we might have today.
Technically, this leads to the need for flexibility and versatility. It’s not about a specific type of solution, it is about the ability to combine multiple technologies (for authentication, fraud detection,…) depending on the risks and the level of mistrust. The bad news however is: Mistrust will increase, trust will decrease, which will make it more complex to achieve an acceptable level of security for specific risks. And some of the concepts – like SSL – are obviously not sufficient by themselves to address today’s and the future’s security challenge. However: SSL++, e.g. SSL plus other approaches, might suit our needs. And approaches like the ones of convergence.io might help us as well in better rating the risks and applying the concept not only of trust but as well of mistrust. And, despite the mistrust we might feel for rating agencies in the finance world, having rating agencies for organizations like CAs we have to trust might be another approach.
11.11.2010 by Martin Kuppinger
These days, the Deutsche Post started its eBrief service. And the so called De-Mail is as well on its way. The common idea: Trustworthy, legally signed eMail. So far, so good. But we all know that its not the first approach for secure eMail. Some people are even using it actively, and some even beyond the reach of their corporate eMail systems. But when I look at my inbox, well below 1% of the incoming mails are signed and exactly 0% are encrypted.
Why should that change with new services which are expensive (to send the eBrief costs money like a real letter), have a complex registration procedure (you have to show up in person and with your ID card or – lucky one – your eID), and are difficult to use. The biggest problem: Yet another mailbox. I don’t want to have another mailbox. I don’t want to use websites to authenticate before I can access like I have experienced with other approaches. I just want to be able to use secure eMail (if I need it) with my existing mail accounts, my existing Microsoft Outlook (and NO new mail account I have to add to my outlook). Seamless. Without having to think much about. Without registration. And in a way that every recipient understands. The best way still is S/MIME, even while only few people really understand what happens there, at least besides the IT security people. But an eBrief? De-Mail? Why should I? Add another level of complexity to my communication? No way.
Besides this: De-Mail would also enable the state to communicate with me. They have a way to reliably send mail to me – do I really want them to have this option? Hey, I couldn’t ignore that any more. That’s far easier with the classical letters sent by snail mail.
Honestly, my reception of these initiatives is that someone tries to reinvent the wheel – one with five edges, not a round one.
I personally will further use my fax when it’s about really reliable communication.
31.03.2010 by Martin Kuppinger
In my recent post on versatile authentication I touched the topic of national eID cards. Some two weeks ago, I did a presentation on eID interoperability from a private perspective. I started with the question about why strong authentication technologies are still not widely used. The vendors might claim that they are, but in fact we still mainly rely on weak approaches like username/password, PINs, PIN/TAN, and so on.
One reason for that is that approaches which are reusable need a sponsor. Many companies in eBanking, eCommerce, and other areas understand the need for strong authentication. But they don’t want to rely on proprietary mechanisms. They don’t want to deploy and provide the logistics for advanced mechanisms due to the costs associated with. And they don’t want to invest in a technology for their customers which then might be used by their competitors as well. One example for the latter situation are readers for cash cards, amongst others.
For sure you could argue that the example of the UPU (Universal Postal Union) has demonstrated some 145 years ago, that this isn’t a valid argument. Before UPU, there had been a complex system of billing between postal agencies in different countries. They counted the letters and the fees and billed each other. The basic idea behind UPU was, that there is usually one letter back per letter sent, thus the fees which have to be payed are more or less equal. Thus it is much cheaper to just not do that billing anymore and to have the senders pay only a fee in the originating country of the letter. This system works for a pretty long time right now. And I don’t have that many doubts that a standardized system which requires some hardware to be deployed would work as well when everyone supports his customers – the ones with fewer customers will pay less on average because they have to deploy less, the ones with more customers will pay more.
Unfortunately I neither see a standard solution which is accepted by everyone nor the willigness to do that. Thus we need alternatives. And that is where eID cards come into play. There is a potential for mass adoption at least in countries where it is mandatory to have such a card. However, that requires that these cards can really be used for strong authentication in eCommerce and other areas. And that, again, requires the deployment of readers for these cards.
Thus, we need someone to sponsor at least the initial deployment to build the critical mass. The only ones to do that are the governments, like in Germany, where 1.3 million readers will be sponsored. That in fact is business development, because it enables the use of Internet-based services with strong authentication. It enables new business models, efficiency in organizations, it will reduce fraud and the associated costs. However, the eID projects usually aren’t seen from that perspective of business development – private use cases are more sort of an add-on. Decisions like in the Netherlands to shift such projects to a later point of time show a lack of understanding of the potential economic impact.
We need mass adoption of reusable strong authentication for the “Internet business”. The only way to achieve this is by sponsors who invest in the mass adoption of technologies. And the most likely sponsors are governments, as part of what they do for their economies and their competitive advantage. Once we have a mass adoption of strong authentication, we might see additional technologies being used for graded and step-up authentication. Vendors of versatile authentication and context-based authentication/authorization will benefit from this as well because eID cards will always be only one of many accepted means of authentication. But the ones who benefit most are the businesses themselves which can reduce fraud and implement new business models.
Visit EIC 2010, Cloud 2010, MIS 2010.
11.03.2010 by Martin Kuppinger
Versatile authentication is one of the hot topics in IT – more and more vendors start to support it in some way or another. Versatile, a not that common term, means the ability to flexibly switch between different authentication methods. In practice, versatile authentication solutions shall support at least the following features:
- Flexible use of different authentication methods.
- Simple plug-in of additional authentication methods, e.g. extensibility.
- Flexible interfaces for applications OR integration with existing technologies which interface with other apps.
- Support for step-up authentication and other more advanced approaches.
Other aspects like fallback methods, management support for handling the token logistics and so on are value-adds, depending on the implementation of the versatile authentication technology.
Read the rest of this entry »
31.01.2010 by Martin Kuppinger
Today, some influential German politicians started argueing against the upcoming German eID card in a sunday newspaper. The eID card is planned to be available by November, 1st. The main argument is that the costs of the project are increasing – there is the request for some additional 7 million Euro for advertising. The politicans claim as well that experts doubt about the need for the eID card. They propose to shift the introduction to 2020.
There are for sure some points with the German eID card which you can discuss. However, the arguments of these politicians just show that they don’t understand anything of what they are talking about. No big surprise, you might claim – they are politicians. To provide my view on this:
- Yes, the eID card costs a lot of money. However, new things typically aren’t for free. And given that the eID card is a government project, there is a lot of politics and lobbying in, which never ever saves money. Anyhow, it doesn’t appear to be excessively costly.
- The concept of the German eID card might not be perfect, but it goes beyond most other approaches when looking at principles like “minimal disclosure of information” and the supported use cases as well for public as for private use.
- Security is well solved. There are some people claiming that fingerprints aren’t secure. Yes – there might be some fraud. But the eID card is way beyond the alternatives we have today and which could be used in a mass market. I personally think that it is much better to do some (significant) step forward in security instead of staying still and looking for the Nirvana.
- The concepts have to be explained to the public. That is an educational effort which will take time and which will cost money. However, we should look not only at potential downsides but might concentrate on the positive things – and there are many interesting use cases. There is a lot of potential within the German eID card.
- There are experts (I thought about putting the term into quotas…) – no surprise, you will always find experts which support your opinion, especially as a politician.
- You definitely can wonder about why we need a health card and an eID card on a national basis – one card might be sufficient (especially given that you have to educate people on the privacy concepts for both cards and thus you might reduce the efforts on this…).
I could add many more points to that list. However, I think that this is just another example of politicians talking about things they don’t understand at all. There is some value in the German eID card. It is based on a well-thought concept. There are things which might be improved – and many of the shortcomings we might observe at the beginning will be solved. It will take some time for the mass adoption – again no surprise. But overall, it is absurd to stop this project now and to restart it in some ten years. That would mean that much more money then it will ever cost to bring the project to an successful end will be destroyed and will have to be spent again in some years. Thus, there is definitely no sense at all in stopping this project now. But there is a lot of sense in spending some extra money in education of the citizens, to make it successful.
22.07.2009 by Martin Kuppinger
Some days ago the German government announced a list of 30 companies with test cases for the upcoming eID card, which will be available starting November, 2010. The good news is that the BMI (Federal Ministry of the Interior) has managed to get a good number of test scenarios outside of eGovernment. The identification of flight passengers at airports, hotel check-in, online shops, and some use cases for age verification are on the list of published test cases.
For sure there are as well many eGovernment applications amongst these 30+ scenarios but the real important thing is that there are obviously many partners outside the eGovernment which are interested to use the eID card for identification (or age verification) purposes within their specific business use cases. If they succeed, there will be a lot more partners once the eID card is officially issued - and the more companies will use the eID card, the more momentum will be there for “buying” the eID card and switching to it from the current conventional ID card. That is about “buying” because the eID card is mandatory when renewing the current eID card (which is valid 10 years from the date of issuance). That fee will be accepted more likely when the card can be used for many use cases.
Overall it appears that the German government is doing a good job in creating some interest in and momentum behind the eID card. And doing a broad test with many partners more than one year before the card is distributed widely is definitely important – there will be many lessons learned. Anyhow, the biggest threat for the eID card still will be the acceptance. Test cases are one thing – the other aspects are usability (make the eID card as easy to use as possible, even from home) and trust. There will be a lot of discussions around the eID card, and educating users about the security and privacy (which is pretty good in the eID card concept) is extremly important for the success of the German eID card. But there will be a lot of FUD (fear, uncertainty, doubt) raised around this issues, like “the fingerprints aren’t fully secure”. Yes, in fact, there is some slight chance of abuse – but what the eID card provides is a big step forward for most of the users. Thus, we should look at it more positive and understand it as an important improvement for security in the Internet – with some shortcomings (national, time-to-market,…).
It will be definitely interesting to observe the different test cases and the lessons learned there. Despite all doubts, the German eID card has a good chance of becoming a successful project.