Category: Identification

Biometrics – Do we end up in a surveillance state

http://www.planetbiometrics.com/article-details/i/10211/desc/guest-post-experience-a-seamless-lifestyle–idemia/

https://www.aclu.org/other/whats-wrong-public-video-surveillance

https://www.govtech.com/policy-management/Study-Surveillance-Cams-Worth-Money.html

As we think about the world we are living in and the world we want to live in. We must balance friction and convenience against the potential risks which will emerge as technology blossoms and expands to touch ever part of our lives. This morning I got a text informing me of the 200 million cameras the Chinese had watching their citizens. I immediately remember the CATV system in London and

CCTV Camera technology on screen display

what parts of the City it covers. Its goal record everyone’s movements to protect against terrorists. Airlines are talking about ticketless travel and some are speaking of passport-less and ticketless airports. We wonder if Alexa is recording our every word and we know our PC, Tablet, Baby monitor & mobile phone cameras and microphones can be used by: who knows who, to watch who knows what, whenever they so please?

Is this the world we want to live in? Or would we prefer our cities to enact laws like those recently enacted in San Francisco. This law is meant to ban the use of these various cameras and listening devices from being used to identify everyone they see or hear.

This conversation then immediately bleeds into the question of our right to privacy. With all that the internet offers for free and what all these devices are capable of sharing; we’ve given our privacy away.

How often do you wonder why the ads you see seem to attempt to sell you exactly what you recent read about? How often do you wonder why you no longer can easily find the site you are looking for? Instead you have to filter through the search list to get past all the ads. How many of us even understand the information people can glean from what we do and were we are; when we use or carry our devices around?

On one side of the discussion is reality. As has been the case for as long as I can remember.  TV, radio, newspaper, magazine, browser, social media, much web content and mobile app are funded by advertising dollars. Spent by those who want to convince some of us to buy what is on offer. It is these advertising dollars which pays for the content and ultimately decides what will survive the test of time. On the other side are the politicians, regulators, lobbyist and corporations who are focused on one thing. Helping people prosper or worse protecting some so they can continue to prosper.

The acquisition of wealth, the construction of infrastructure, the destruction of our enemies or the support for those without; is all about money.

If we seek to protect our privacy and be assured, we will not live in a surveillance state. We must be willing to read the fine print and be ready to pay for what is now free.  We must be ready and willing to take the extra time to pull out our passport, enter our user name, present our boarding pass. We must insist on the necessary friction to protect our identity and our freedoms.

If convenience is what we insist on.  Be assured, companies will happily build solutions to remove friction. Beware, removing friction, when it comes to  your identity or privacy, means you will allow people and organizations to collect and store everything they can about you/  Their goal to identity you and without friction, with the purpose of serving you or better said profiting from your actions.

All of this is more than the Uber experience.  Uber recognizes your phone and account not you.

This will be a world where the system behind the camera will see you, compare your face to all the faces on file and determines it is you. Therefore, knowing who you are, it can do what it is told to do; because it is you.

Smart Cards with Fingerprint Scanners

Over the last couple of years the reality of fingerprint cards is a hot topic in conversation, white papers and press articles.  It led me to think about the challenges and opportunities associated with this intriguing convergence of technologies.

My purpose is not to determine which solution is best or which companies are developing and selling them.  My goal is simply to explore.

The first consideration begins when the card is constructed.  Here we must ask the mechanical question relative to how the electronics are integrated into the strata of an ID-1 card.  This then begs the question of making sure this new card conforms to the specifications dictated by Payment, Networks, Governments or other bodies who define the use of these branded cards.  If we continue to think about the card manufacturing process we need to think about electronics and the use of heat in the typical lamination process or the inclusion of metallic materials used to create a particular look.  One needs to think about the method of connecting the various internal components to the other electronic elements  as the fingerprint scanner, antenna(s)m LEDs, batteries, the EMV chip or contact plate on the face of the card.

The second set of concerns must be related to the personalization of the card.  First question is where will it be personalized? in a branch or within a bureau?  How will it be personalized? With a thermal printer, laser engraver or embossing machine?  Will any of the  personalization processes adversely affect the electronic?. Similarly it will be appropriate to confirm whether any of the various card transport mechanisms will disrupt or damage the sensor and related electronics.

At some point in the processes the consumer must register their fingerprint and the resulting template must be instantiated into the card.  How will this be done?  Some speak of an in branch process.  Others talk about some type of first time cardholder activation process performed when they receive the card in the mail.

Clearly there are a lot more questions the issuer, card manufacturer and personalization provider need to address.  Let alone the method of making sure the cardholder knows how to use the card at the point of sale or ATM

The key question is the cost of the card, is it worth it?

Where are we going

Each morning I read trade articles on Blockchain, Faster Payments, Mobile Wallets, Authentication, Identity and other alerts & subjects of interest. Each day the writers leave me thinking about the future of society, howbwe will address cyber security, what we can do to funally eliminate fraud and which solutions will help us to mitigate risk. These then drives concern about where we will end up, as we drive to define effective means of identity and authentication, capable of supporting the individual desire for convenience and gratification.

Facial recognition deployed to speed up entry and exit to and from countries and through airports are here. The surveillance state is emerging at alarming speed. These same cabilities could potentially deliver a safer environment. Which will it be?

Physical and behavioral biometrics many feel should become the primary means of authentication. Yet, false acceptance and more importantly false rejection will result in inconvenience some expect the consumer to tolerate while other remember friction typically ends up with the consumer abandoning the journey.

The cost of payments, the escalating concern of the retail sector, remund us thatnpayments are sourcesnof revenue for some and friction for others.

Identity theft and the ability to create synthetic identifies are the fears of many. Consumers whose identity is stolen struggle to regain their standing.

In the end all we seek is:

  • Pay for something
  • Identify ourselves
  • Protect our hard earned money
  • Live a safe and productive life
  • Be assured you are you and not someone else

Proofing or Identity Verification is the Key to any Relationship

When we consider our activity in cyber space  and even in in person.  The most important element is the relationships we develop.

If we consider the characteristics of a relationship, we need to think about the question from the perspective of each of the two parties.

  1. The relying party: be it a bank, merchant, club, government, employer or other operator of a website or facility; are interested in serving, selling and supporting the user
  2. The user: be it a individual, consumer, citizen or employee; are interesting in accessing information, exploring, shopping, browsing, communicating, sharing or otherwise enjoying something.

A relationship can then either be enduring or can be that of a guest.

  • The user wants to know if the party they are attempting to engage with is who that party claims to be.  Rely party simultaneously needs to believe the individual is who they claim to be.
  • What the users identity is or better said what attributes of user’ identity are necessary is down to the objectives and longevity of the relationship.

Being assured of these truths is what proofing or identity verification is all about.  Data privacy and need to know then filter into the conversation.  This then needs to be balanced against risks the relying party and the user are taking,

With all of this in mind each party can decide what level of identity verification is required.  This task is all about how one balances privacy, convenience, security and risk.

Biometrics carry risks.

Hacking Our Identity: The Emerging Threats from Biometric Technology

As I skimmed through this article I was reminded of the reality of biometrics.  It is a statistical algorithm designed to compare what was registered to that was just sensed.  It is an imprecise process.  The author reminds us of the importance of our identity in each and every interaction we engage in.  She further ponders the question, of the potential threats to the biometric solutions that countries, people and enterprises are embracing, as we work to address the questions of Authentication and Identification in our complex digital and physical world.

The article asks the questions:

      • Do the countries and enterprises understand the technology and processes used to support biometrics as a means of authentication.
      • Do they appreciate the need to secure and protect this most sensitive of data?
      • Is the data they store able to be used to compromise the individual of the integrity of that which it seeks to protect?
      • Are we at risk of creating a surveillance society?

Finally there is the question of the accuracy of biometric matching.  It is interesting to observe the comparison of the accuracy of biometric matching to PIN or password matching.  We all recognize the challenges of PIN and password.  It is not the concept it is the question of how many complex PIN or passwords is the human mind capable of retaining without writing them down or storing them someplace that can be compromised.

As I have argued in other blogs, the answer must be in the possess of something unique which has a False Reject Rate FRR and a False Accept FAR Rate, both approaching zero.  Clearly the PIN or password has such a characteristic the challenge is in remembering so many.  An object or a thing “Something You Have”, be it a card, phone, watch or bracelet with a Restricted Operating Environment inside e.g. secure element, TEE or TPM, secured using strong cryptography, paired with a biometric makes the most sense.

Identifiers, Tokens and Authentication

Often times I have wondered why everyone is so enamored with Tokens and Tokenization. Some time ago I begged the question of the broken token in a presentation to the Smart Card Alliance.

My premise is simple.

Identifiers are not authenticators. Replacing the identifier with a token as a result of turning an Identifier, the PAN, Social Security Number or other identifying index value, is a bandage on a festering mistake.

What we need to do is address the challenge of authentication in a convenient and frictionless way. Having to protect an identifier was the issue that created PCI and the whole issue of PII data. The Identifier should not need to be protected. It was and still should be an index and means of recognizing the relationship the relying party has with you. The authentication function is to make sure the person linked to that identifier is you!

User name: Identifier

Password: *********

Was not a bad start. Single factor authentication “what you know”.

Given the number of relying parties we all maintain relationships with, it is time to retire the password; Introducing “what you have” a secure thing (be it a chip card, Fob, Mobile Phone or Personal computer) and exploit the power of cryptography. Then add a second factor, a password or PIN, is a great first step. Changing the PIN or Password to a Biometric is a great leap into a truly secure environment.

The Key is to embrace the first factor “What You Have” a true token.

SCA Workshop Tokenization - 2015

We are here to help you figure out the right approach for your organization.

Authentication, Trust, Identity and Identification

This week the following title caught my eye Why Authentication Needs to Simplified for Users and Organizations. As one of those users who wants authentication to be easier, I was driven to reflect back on what companies have offered as mechanisms to secure this amazing landscape called the World Wide Web or the Internet. Each of the four devices on the right are samples of the primary factor “What You Have”. They date back over 25 years and each included a Secure Element currently referred to as a Restricted Operating Environment ROE. The one with the keyboard was issued to me by my european bank in the 90’s. It was used as step up authentication to secure the transfer of funds.

Cumbersome to say the least. I had to enter a PIN, a number displayed on the screen then type the number displayed on LCD into a field on my personal computer. What I always asked myself, why can’t they integrate that thing inside my keyboard or laptop.

Reflecting forward and thinking about what we have to do today to authenticate ourselves. We are confronted with a myriad of solutions each different each claiming to be the right answer to the wider question. Secret questions, PINs, patterns, passwords, an SMS or email with one time passcode, the Google authenticator, the Microsoft authenticator, the FIDO U2F keys, the Fingerprint sensor on my phone, the camera on my desk top, how I use my mouse, where I am located, is there a cookie in my machine.

On top of all of those commercial solutions, there are numerous demo authenticators clients and prospects have asked me to look at.

Each different.

Each requiring the user to appreciate when and how to use it.

What is the answer. First we must agree on the requirements.

  1. Convenient
  2. Intuitive
  3. Easy to Integrate
  4. Secure

Starting with secure it must be able to offer a unique method of authentication that cannot be spoofed, counterfeit or otherwise compromised. It must have a false accept rate approaching zero and a false reject rate also approaching zero.

As it relates to easy to integrate the people who manage identity & access management systems IAM, computers and applications need to be able to quickly and with a minimum of effort, replace what is now used to identify and authenticate the user, with something new.

Intuitive this is the real challenge. There is the variety of users that must be considered. Are they their willing to learn or capable to make the leap, we hope they will?

Finally convenient which demands fast, easy, memorable and even something that is device independent.

How did we get here? Nobility provided individuals letters of introduction, sealed with wax and a signet ring to confirm the origin. This letter assured the attributes, capabilities and identity of the carrier. We trusted because of the seal we recognized

We, one of 7 billion people on this planet, have more contacts on LinkedIn, Facebook and a myriad of other social networks than many towns and cities when a ring and wax was an effective means of authentication.

Today we carry a number of documents. Each designed to provide proof of our identity. We simultaneously expect schools, employers, friends and other agents to be ready to offer proof of our claims. Did we graduate? Did we work there? Are we of good character? Did we received particular certificate?

Insurance companies, airlines, merchants, hotel and banks all provide cards and other means of identity. Each designed to inform someone of our rights, privileges or capabilities.

But, and this is a big but. We do not have an effective and convenient way of sharing these rights, attributes, and privileges on the internet. We let people identify themselves with user Ids and passwords. As the number of digital relations grow the challenge of maintaining secure passwords gets worse. As the challenges of phishing and vishing attacks got more sophisticated the risks, fraud and loses escalated.

We understand these challenges helped to secure card payment systems, were involved in defining new authentication standards and have seen and been exposed to way more ideas than necessary. Happy to help your organization’s secure your consumer and employee relationships.

Disruption or the Reality of Legacy

Often times people speak of disruption as this traumatic thing being imposed upon them, their industry or society. Yet, if we look under the covers disruption more than likely is all about a competitor, not locked into a legacy approach, approaching the market with different tools.

The world of payments, as so many others, have implemented technology then gone on to enhance or update multiple times. Each time, someone or some group of people, had to adapt therefore invest to keep up. More often than not, a community would decide to hold on to what they built, sometime ago, hoping no one tried to disrupt the status quo.

With payment the need to embrace more effective approaches parallels the robustness and frequency of transactions. It also parallels the desire of sellers to do business with anonymous buyers. A lack of trust and a need to reduce the amount of cash we carry drove, markets to promissory notes. These promissory notes further evolved, as trusted intermediaries entered the market and created more efficient methods of providing that guarantee of payment.

Not wanting to duplicate what is already written about the history of money and payments we can jump forward through the paper phase to where we are in North America: Cash, cards, some checks and electronic debits & credits.

If we look inside the evolution of legacy.  We find what we have, is a stumbling block, holding innovation back.  We need to decide to adapt what exists or remove and replace.

Digital Identity and Multi-Factor Authentication, A Necessity in an Increasing Digital World

Last night November 8, 2018, Bryan Cave Leighton Paisner hosted the Atlanta Chapter of BayPay’s

Digital Identity and Multi-Factor Authentication,
A Necessity in an Increasing Digital World

The panel moderated by Philip Andreae, Principal at Philip Andreae & Associates included:

  • Clay Amerault, First Vice President, Digital Delivery Lead at SunTrust
  • Blair Cohen, Founder, Chief Evangelist & President at AuthenticID
  • Jennifer Singh, Innovation Specialist & Digital Identity Strategist at Thomson Reuters
  • John Dancu, CEO at IDology
  • Vivian van Zyl, Senior Product Architect at FIS

The panel focused on the need to address Digital Identity and Authentication with a clear focus on the user experience.  The discussion considered the balance between friction and security.  All of the panelist  articulating the demand for convenience.  The Audience questions which is it the desire, or is it the demand, of the American consumer.

All agreed, the key issue, as we move towards digital only relationships, is the challenge of Identity Proofing.  The panel also reminded the audience to layer various techniques in order to recognize the presence of the right user and the need to incorporate various fraud mitigation strategies to manage risk and assure identification.

Some of the participants asked if we should start educating the consumer and help them to understand the balance between a frictionless experience and one where a degree of friction is a symbol of how the enterprise (relying party) demonstrates its concern for the consumer’s data and responsibility to protect the consumers assets and identity attributes.

The question of centralize biometric databases versus distributed biometric databases, reminded people of the reality, our data, attributes and identity is already available on the Dark Web.  How we restore privacy and what will happen as the new GDPR regulations go into force in Europe, and as California moves to introduce its privacy legislation; requires each of us to  watch carefully and be part of the move to  restore the consumers’, OUR, right to the data that is us.

A Letter to Karen Webster of PYMNTS.COM

Karen, you come to mind off and on, especially when I’m try to keep up with what is happening in the wild world of payments, block chain, cryptocurrency, identity, authentication, trust, identification and who knows what else.

One thing is clear.  Lot’s of companies are investing significant sums of money in these various “opportunities”.  Yet are we, as a society, on the right path?

We could look to Washington DC, and the other capitals around the world, and this same question would apply.  But, not to get distracted.

Let’s start with identity and authentication in the digital space

As you may remember, EMV was something I got deeply involved with, both here in the USA and back when we originally conceived of the specification.  We the three founding payment associations had one goal – solve for counterfeit.  And, when the issuer or country so desired address lost and stolen fraud.  Focused on the physical world of commerce, the Point of Sale.  Our original goal was simple.  Assure global interoperability by defining a global migration path away from the magnetic stripe.  We mutually agreed we had to select a technology capable of protecting the physical token, the card, well into the 21st century.

Simultaneously, as was so beautifully captured by the Pete Steiner’s famous 1993 New Yorker cartoon, we knew there would be an issue in the digital space, that thing we then call the World Wide Web.  MasterCard and Visa set out to define the Secure Electronic Transactions SET, then Visa patented a concept called 3D Secure and more recently  worked together with the other owners of EMVCo to create EMV 3D Secure.  Each of these, attempts to find a meaningful way of  authenticating the cardholder when they paid with a credit or debit card.

Today billions of identities have been compromised.  The techniques used during an enrollment process online, to verify who you, are no longer viable.  Identifiers like our social security number and Person Account Number (PAN), unfortunately, became authenticators, a role they were never designed to support.  As EMV was deployed criminal shifted their focus to the Internet and PCI had to be introduced to address the challenges of criminals acquiring payment card and PII data.

As the World Wide Web morphed and grew in value and importance, the potential of monetizing the vast amount of data companies where collected began to scare people;  as this recently found comic so aptly demonstrates.  People, governments and corporations started to struggle with their desire for privacy offset against the value of data corporations are collecting.

Way back then, an opportunity to address the issue was offered by Bill Gates.  As is always the case, Microsoft the then technical giant  wanted something to support what society would ultimately need.  The idea of the social good was lost to the value of corporate profit and control.

As the Internet grew to become this marketplace, library, museum, cinema, place to play and place to meet and connect; we imposed well understood enterprise security techniques (username and password) to the consumer space.  The password thus became our challenge.  How do we convince customers (let alone employees) of the importance of complex, hard to remember passwords – unique to every security conscious relationship we establish on the World Wide Web.

Are biometrics the answer, has the FIDO Alliance and W3C created a set of authentication standards we can all embrace?  Hopefully.  Unfortunately, most opportunists are seeking to monetize their often proprietary solution, creating what they think is a best of breed consumer experience.

My fear, we are moving from the familiar experience of typing our user name and password; to multiple unique experiences at the front door of each and every web site we seek to log-in to. 

As an example my Samsung Android phone has a fingerprint sensor and is FIDO certified.  There is a Samsung Pass Authenticator, Microsoft Authenticator, Google Authenticator and several demo versions of various other authenticators.  I also receive SMS messages with one time tokens I am asked to enter onto the screen.  My PC it also is enabled with a FIDO U2F set of dongles.

Unfortunately my tablet has none of these and assumes I will simply remember, thank you Norton Identity Safe, my various passwords.  What a mess we are created all with monetization and the desire to offer a unique consumer experience as the justification.

With all those already installed, I await the introduction of WebAuthN, within the various browsers installed in my PC, tablet and phone. 

Moving to Block Chain and Cryptocurrencies

The wild west.  The makings of a speculators dream.  The realm of the incomprehensible, built on complex mathematical concepts and the desire to remove the man in the middle and replace them with the miners and nodes distributed around the center.  Or, is the idea of the distributed ledger the solution to the challenges of trust in an every expanding universe of connected people and things.  One can only wonder?

People speak of removing central governments.  Yet, they remind us that there is a governing body, book of rules and set of code that is designed to assure immutability.  If I understand their, logic we should not trust Governments instead we  trust these new open societies and digital enterprises?  they speak of removing intermediaries and replace them with nodes and miners.  New players responsible for creating and signing the new blocks and distributing it all those who maintain a current copy of the chain.

Is there potential, Absolutely.  The challenge is to understand why one would wish to move data from a trusted central repository to a distributed trustless environment.  Cost and latency should be part of the discussion and most importantly the level of trust the parties have with each other, identified intermediaries and governing bodies involved in the ecosystem.

Finally Payments

Barter, gold sovereign, IOU, government or bank back notes and coins, checks, cards, account based solutions, digital coins and what next.  Payments have been this ever evolving space.  Some seek to monetize the methods businesses, consumers and governments use to pay for the good and services they seek to acquirer, use or explore.  Others argue that the cost of payment should not be a source of profit.  The interesting twist here is more about the stage an economy is at in their migration from one from of payment to another.  Questions of legacy and history limit a markets ability to embrace the new and retire the old.

We could shift the conversation and focus on the store of funds: be it the safe in the wall, the checking or savings account at an institutions or digital coins stored in digital memory.  We could talk about the entities that focus on the experience and employ the already existing mechanisms.  We could think about block chain, crypto currency, identity and authentication.

Does the consumer care? or would we be pleased to simply hear the merchant say thank you for your payment.   The frictionless experience of get out of an Uber car or when we click the buy button on Amazon we know the payment will be made and that we will see a receipt in our email.  Remove the friction and make sure that only what I owe is paid, that is the experience we seek.  We the consumer are not interested in the detail.  We just want to know we successfully paid, using the source of funds we set up as our default.

In Conclusion

Yesterday, with this blog incomplete, I listened to  The Economist article titled Rousseau, Marx and Nietzsche – The prophets of illiberal progress – Terrible things have been done in their name.  What grabbed my attention is that it spoke to the depth of my wider concerns.  The article concludes with the following:

The path from illiberal progress to terror is easy to plot. Debate about how to improve the world loses its purpose—because of Marx’s certitude about progress, Rousseau’s pessimism or Nietzsche’s subjectivity. Power accretes—explicitly to economic classes in the thought of Marx and the übermenschen in Nietzsche, and through the subversive manipulation of the general will in Rousseau. And accreted power tramples over the dignity of the individual—because that is what power does.

As I think of our capitalist environment, I am concerned and wonder if the publication of the Economist article is  timed to educate and alarm.  The reality is we are experiencing a concentration of power leading to an increase in the distance between those in the upper 1% and those we call the middle class.  Therefore, there is a need to about what is good for the whole, yes a tiny bit of socialism, to restore balance to make sure the wealth and benefits accrue to all and not just the few.

As identification, authentication and payment systems, discussed above, evolves we need to think about the structure of how these solutions will be offered to the market.  Are we seeking to address a social issue like crime or terrorism? Are we seeking to improve confidence?  Are we attempting to focus on the consumer, citizen and employee needs?  Or, is it all about shareholder value and the search for profit?

Like in the article discusses, my fear is Profit will create confusion and complexity.  Not more convenient and frictionless experiences.

The case for Identification and Authentication

As we continue to explore the case for Identification and Authentication I share the below article.

What is becoming clear is standards are being embraced.

In the Payment space

Will it be W3C WebAuthN, 3DC and Webpayments or EMVCo SRC & Tokenization?

My guess depends on if standards bodies can play well together.  EMV (contact or contactless) will remain the many stay for physical world commerce, until the App takes over the Omni Channel shopping experience.  then the merchant will properly authenticate their loyal customer and use card on file scenarios for payments.  The question of interchange rates for CNP will see a new rate for “Cardholder Present&Authenticated/ Card Not Present.”.  In time when a reader is present I can see an out of band “tap to pay” scenario emerging using WebPayments and WebAuthN.

In the identity space

I contend the government and enterprise market will go for a pure identification solution with the biometric matched, in the cloud, in a large central database.  Does it include a what you know username, email address or phone number; maybe!  If it is simply the captured image or behavior, then it is a 1 to many match.  If it is with an identifier, it is classic authentication with a one to one match.

In the pure authentication space where the relying party simply want to know it is the person they registered.  Then, the classic FIDO solutions work perfectly and will be embedded into most of our devices.  Or, as we’ve seen with some enterprises, the relying party will embrace U2F with be a FIDO Key, like what Yubico and Google recommend.

The classic process needs to be thought about in respect to what can be monetized.

  • Enrollment = I would like to become a client or member
  • Proofing = Ok you are who and what you claim, we have checked with many to confirm your Identity – This is where federation comes in.
  • Registration – Verification = Ok, now we confirm it is you registering your device(s)
  • Authorization & Authentication = Transaction with multiple FIDO enabled relying parties using your duly registered authentication.

How Microsoft 365 Security integrates with the broader security ecosystem—part 1

by toddvanderark on July 17, 2018

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protectionthreat protectionidentity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

 

Something to wonder about

What You Have

The Two Sided Market

When we think of investing in various macro business needs e.g. revenue. We see that establishing relationships with customers to stimulate sales is why we create the goods and services, hopefully, others want.

If the buyer has something the seller wants, in exchange for the good or service they desire, then a transaction occurs. The challenge is simple, each party defines the value of what they are providing or exchanging and presto the trade occurs.

When society grows and the complexity of what each of us produces and when our needs are not aligned to this process called barter, a means of monetization is established. Society creates a trusted form of exchange – pebbles, coins, money, a promissory note or now even cyptocurrencies.

In other words, society creates an answer to enable the exchange of goods and services between parties who do not have goods and services the other party seeks in exchange.

With cash, coins or other trangible representations of value, commerce is easy. When we complicate things and worry about carrying cash and seek to buy things with debt. A need for a Network emerges.

These payment networks, by necessity, add complexity. They create the need to establish two sides to the market, one focused on the relationship with the buyer and the other with the seller.

Issuance and Acceptance. Two words to descibe the two sides of a network. It’s only when the two sides of the market have sufficient participants. Only at the tipping point, enough critical mass exists, to create a self sustaining network. This is the network. At this moment the network blossoms. If either side of the market does not achieve critical mass, the network collapses.

Any two entities familiar and trusting in the Brand, or each other, can easily establish a temporary relationship. Adding anonymity to the requirements, increases the leave of trust and recognition the Brand must establish.

In a digital environment we have to define mechanisms to share and establish trust across trillions of electrons. The two sides will not pursue understanding of nor focus on security. Until the risk exceeds a threshold unique to each party on either side of the market.

To often in the past, the idea of the individuality of the individual or the need to design security in from the beginning. Has left us with a legacy of system all needing design of custom approaches to how to integrate security with requisites necessary to capture, calculate and manage risk.

The Artifact of Trust

When a mutually trusted set of parties gives the citizen, consumer, employee or courtier a card, a device or an object and provides every acceptor with a reader capable of recognizing the trusted thing; then the two parties are in a position to establish “trust”. The consumer has a thing which is recognized and trusted by the acceptor. This is often referred to as “What You Have”.

Once the thing is recognized by the acceptor, then, the process of identification and authorizations (the transaction) can take place. The object – the artifact – carries an identifier. It possesses characteristics that establish its unique character. The object also posesses a means of assuring the acceptor the presentation of that identifier repreents a unique entity.

The simplest artifact of establishing “trust” is a hand held thing, be it a key, fob, card, watch, pendant, phone, ear piece. It does not matter what it is, all that counts is that the merchant recognizes it and that the consumer is willing to carry and present it.

Trust, for the merchant, means they can, according to the rules, recognize and authenticate the thing. They are then in a possition to pursue a temporary and trusted relationship. What can be achieved during the time the relationship of trusted is bounded, is the constrained by an additional layer. In this layer the consumer, the acceptor and any third parties address which the rights and privileges are to be granted or pursued. This is when the exchange, sale, conversation, tranaction, event or access is granted.

Two sides meet several common mediums of exchange are available.

[contact-form][contact-field label=”Name” type=”name” required=”true” /][contact-field label=”Email” type=”email” required=”true” /][contact-field label=”Website” type=”url” /][contact-field label=”Message” type=”textarea” /][/contact-form]

Digital Identity

Question for all those who advocate migration from card to electronic

We all are aware and many of us dream of a time when all of our physical identity artifacts are digital. We dream of consolidating these credential in our electronic wallet, otherwise known as our mobile phone.

Today while visiting an outpatient imaging center, I was asked for my drivers license. She would only accept the physical document, I offered to send an image by email. Her goal to scan my identity document into the electronic patient file she was creating. The idea of an image of the drivers license in an email, well.

Sure the system could easily be changed to record digital credentials delivered by NFC or BLE. The first question given the expensive medical system we have here in America; at whose cost?

Time could not be argued as a savings, she would only have a saved a second or three of time to pass the card back to me.

People discuss contactless cards and contrast them to the convenience of a Mobile Wallet. What we often forget is reality. As long as we need to carry other physical identity artifacts, the convergence of our leather wallet into our electronic device is not happening.

In my humble opinion it is an all or nothing situation. Yes I will add digital credentials into the mobile wallet. But, unfortunately, the leather wallet is still part of my attire.

Better still it does not need to be recharged. My leather wallet still works after the phone’s battery has died.

Authentication or Identification

Two words Authentication and Identification.

Reading what Wikipedia had to say about authentication leads to an interesting array of discussions across a wide set of sciences and other social segments. The exploration led to a search for a definition of Identification:

  • The act of identifying, or proving to be the same.
  • The state of being identified.
  • A particular instance of identifying something.
  • A document or documents serving as evidence of a person’s identity.

Next exploring what Wikipedia had to say about Authentication leads to a much richer discussion aligned around the idea of assuring the truth of a particular attribute, someone is claiming to be true. Seeking to assure a degree of parallelism to the discussion:

Authentication is

  • something which validates or confirms the authenticity of something
  • computing proof of the identity of a userlogging on to some network

These two words: authentication and identification, some think represent the same act, yet when we bring into the conversation – privacy the two words have very different meanings.

We then have to think about the how and the what we are attempting to do.

In the physical world there are a set of situations and considerations. We will leave those for another article.

When we think about the digital world, this place were our physical presence is not present. We must find solutions that prove we are who we are without necessary needing another to vouch for our identity each time.

As a consumer we want the freedom to visit multiple sites and believe that where we visit and who we interact with is not open to all to know.

As I write, I can hear some say, all our stuff is known so why try to hide. They are correct and then they miss the concern – who knows. Not to get distracted.

Verification, a third word must enter into the discussion. In order for anything associated with only serving or sharing with a clear and identified party one needs to be able to provide Identity.

Digital Identity

Words to ponder as we think about the best way to secure our digital persona.

Identifier – A text string we use to uniquely identify ourselves to a relying party, person, government, employer, club or entity we wish to have or need to maintain a relationship with.  This group of entities hereafter will referred to as a replying party. 

Identity – We each are unique and have attributes 

Verification – A process the entity we seek to establish a relationship with uses to determine the truth of the attributes we share. One could argue this is or should be a mutual process.  Many call this identity verification or identity proofing.

Registration – When we take these three words identifier, verification and identification and think about the first time we present ourselves to a relying party in the global digital environment. We typically present ourselves through a user interface to the entity we are interested in establishing a relationship with.  We register and the relying party creates a record of our existence.  They seek to recognize and record our identity.

This process typically requires us to invent or the relying party to present us with a unique identifier and agree to identify ourselves with this unique string, often called a user name, email address, bank account number, social security number, employee id, passport number, drivers license number or payment (card) account number ‘PAN’.  The ultimate goal of registration is for the relying party tonassure themselves we are unique and that the attributes we share are linked to our person. They verify our identity.

Today the challenge is to find an efficient, convenient and none intrusive method of Verification.

Authentication – We exist, we can be recognized and are able to present oneself over and over again to the relying party, using our identifier.  The challenge is how do we prove or assure our identity to the relying party each time. We need to authenticate ourselves.

Identification – Many confuse the dialogue above with this word.  The difference is how we present ourselves or better said how the relying party expects us to present ourselves.

With the wide use of biometrics and  many of the identifier we spoke of earlier, our identifier many not simply be some random string.  A biometric is personal and linked to our body or actions.  This biometric can be converted into an identifier and therefore once accepted as genuine and integrates the act of authentication into recognition of our identity.

Certain identifiers create a level of assurance, because the relying party trusts the attributes it asserts based on who issued that identifier.  They are willing to trust in our identity and associated attributes because of the verification done by the isuing party.  It a passport, an employee id, bank card or a drivers license.  The instrument has characteristic, privileges and attributes linked to the issuing party, not simply attributes associated with the individual.

As we move from a physical world to a digital world.  As people seek to use our identity to present themselves as someone they are not.  As we seek to separate the various relationships we establish.    Requires that we find ways of assuring our privacy while securing our relationships.  All this demands we find more secure methods of authentication that are convenient. 

Money 2020 – 2017 – Las Vegas – Wednesday Digital Identity and Payments

With David Birch We asked the Question.  Identity – Authentication – Identification – Authorization and ultimately verification, where are we.

Simple.  We have the technology.  We have the standards and more are coming.  Authenticate, is done, use FIDO.

Identification with Biometrics is illuminatingly possible.  Even the one I know how to spoof, Voice, with other factors layered in, does the job very well.

The challenge is Privacy and Confidentiality must be inherent while regulatory practices must be incorporated.

PA&A Money 2020 FINAL