Facial Recognition for Access

Facial Recognition Software
Access Granted Credit: Wired

One of the slight annoyances in my work, entirely my fault, is leaving my access pass somewhere else, and having to wait for a friendly colleague to tailgate. How do they ensure who I am? Facial recognition of course.

Of course this is embarrassing at best, and in remote offices can be frustrating at worst. Often I’ll have to sign for a Temporary Pass to get into an office.

Insecurity Through Scale

Then there’s the ridiculous number of systems, even within an Enterprise, that don’t use SSO (Single Sign On). The number of websites have a login for numbers in the hundreds.

Which is one reason the iOS fingerprint reader is so powerful. It’s two factor, combining something I have (the iPhone) with something I am (the fingerprint) to authenticate me to any number of systems, and shortly, payments.

But there are times, most times actually, but let’s keep it to handsfree times, when you need authenticated access to information and you don’t have the time, or the means, to type in a password or touch a finger pad. Let’s say you’re a doctor treating a patient, or a harried traveller checking in for a flight.

Facial Recognition

Facial recognition is no longer the stuff of dystopian Sci-Fi movies. As an industry, border protection, police, and security services have been using this for well over a decade.

And with the power of Moore’s Law, the compute power you need to process a face accurately is well within the reach of consumers. Even for large set recognition, we have technology that does a good job of recognising customers for focussed concierge.

Just look how accurate Facebook is at suggesting a name tag for photos you upload to the site.

It won’t be long before passwords (at least typed ones) and access cards are a quaint footnote in history.

What does this mean for Trust, Privacy, and Personal Liberty?

In IoT You Cannot Know The Value Of Your Data

At the recent AIIA Navigating Privacy and Security Summit Mike Burgess, Telstra's CISO, mentioned 5 key principles to adopt when talking cyber-security to the business.

Principle #1 is: Know the Value of Your Data

That makes sense, right. This is a good place to start. In fact, probably the only place to start. How can you even begin to determine how much to invest in security without knowing the value of your data?

This is the principle that made Locksmiths the oldest guilded profession (and 2nd oldest profession). As soon as people had something of enough value to be stolen (gold), technology was developed to protect it (chests, locks, castles).

And it's also true that few organisations even know the data they have, let alone it's true value. This is the principle that has led to the “Egg Shell” security paradigm. Assume everyone outside is bad, inside is good, and put a big (fire)wall between the two. Secure the perimeter.

It's long been known that this strategy is flawed. I was teaching “Defence in Depth” IT Security Courses for Windows 2003 Server as a Microsoft consultant over a decade ago. Most breaches are from trusted parties (i.e. with access to the inside) or social engineering of the trusted parties. Not to mention that with access devices now living in people's pockets (and on their wrist) and compute delivered from the cloud, there is no perimeter.

Still there is little corporate knowledge of the data that flows through an organisation, let alone its value. So defining and understanding the value of your data is a great starting point.

But I would argue that with the advent of the IoT, you will not possibly be able to know the value of your data…

…Because that value changes.

Let's take the value of whether your house lights are on or off. Right now, there is no, or little value in this data. But connect all of your lights to the Internet, and suddenly there's a raft of value, some instrumented, some inferred:

  • How much electricity you're consuming.
  • What time you awake, and go to sleep.
  • How much sleep each person in your house gets.
  • How your footy team is doing (you may program the lights to change colour on scored goals)
  • New Social Media followers
  • How much electricity your lights consume.
  • Relative to other houses in the street.
  • How much power will be needed in a suburb for given weather, time, and traffic events

None of this data is relevant now, but immediately gains value as we connect these appliances to the Internet. And as we connect more devices, appliances, this increases exponentially. And that's just in the home, let alone the enterprise, farms, roads, cities, mines, aircraft…

The network creates this emergent value of data. Essentially this conforms to Metcalfe's Law, that states:

“The value of a [telecommunications] network is proportional to the square of the number of connected users of the system (n2).”

A New Paradigm

So a new paradigm emerges. In the old days those that truly understood the value of their data put in place appropriate security for just that data. Those that didn't just attempted to protect everything.

But just as you cannot predict the emergent value of data (and meta-data), so also no-one will have the resources to protect the scale and complexity of the IoT with the same approaches as before.

We need to look elsewhere to resolve this.

So the exam question is: “Where are other networks of incredible value, and what systems are in place to detect, identify, and protect against threats to these networks?”

And the first principle becomes:

“Implement a reslient security system that automatically extends to the emergent value of your data as this emerges.”

Cloud in the Enterprise – Security 2 – Entrusting your Crown Jewels for Safekeeping

Project 2012: Day 167

A second concern that CIO’s raise with shifting compute delivery to cloud architectures is one of Privacy. This is more than ensuring the confidentiality of corporate information (a big enough concern in its own right). This is about the legal and business risk ramifications of entrusting Privately Identifiable Information to a third party supplier.

Much like putting your money in a bank, rather than buying and protecting your own vault.

Many, if not most, enterprises have strict privacy policies, with procedures in place to ensure that PII is dealt with securely. The concerns with shifting this information to cloud include:

  • Increased vulnerability to attacks of the vendor (rather than attacks of the enterprise) as the vendor would be hosting multiple organisations
  • Losing availability to PII should another company be investigated on a shared platform
  • The loss of transparency of who actually hosts, processes, or transmits your data

It’s in the Architecture

As with any IT system it is important to consider security when architecting the solution, not as an afterthought. Cloud is no different, at least when considering the technology view. As CTO’s we need to ensure that PII is secured technically, no matter the platform we choose to deliver the information.

Risk Management

Where cloud computing does differ, however, is in the control of managing risks to the business. This is now delegated to a commercial agreement, i.e. a contract with the suppliers.

Where this is different from putting your money in the bank, is in two areas:

  • The  legal safeguards in most countries.
  • Standards that banks are required to (and do) meet.

Currently there are a number of laws about handling PII, and these vary from country to country. By and large in Australia you can store PII in any country that has equivalent or greater legal protections for that information.

These laws cover collecting, transmitting, storing, keeping, and sharing PII. We need to establish our cloud provider understands, and explicitly adheres to these laws in the handling of this data. How that translates technically is demonstrated by the tools and processes providers use to enforce the protection of this data.

Transparency in the Supply Chain

But not just your cloud provider.

From a risk management perspective, however, there is one more issue that we must consider. Cloud providers have dependent providers. For example, the provider of your Accounting software will have contracts with a network provider & an I/PaaS provider. Potentially they have a separate agreement with a company that provides their authentication systems. Further agreements with a company that provides the management and monitoring tools. Then the I/PaaS provider could have down level agreements with datacentres that host their systems, provide hardware, and they may even contract to an storage provider elsewhere.

A valid request is complete transparency over the supply chain of who is looking after your data.

What you don’t want is someone to have access to one of your cloud vendor’s provider’s systems. Especially if you don’t have any knowledge of whom these providers are, and whether they comply to the Privacy laws.

In Short

Technically, there is no reason why storing PII or other sensitive information in the cloud cannot be as, or more secure, than in your own datacentre. Especially when you consider that the vast majority of security breaches are perpetrated by an employee of the company.

However, you do need to consider the geographical jurisdiction, and security standards adhered to by your cloud provider.

Most importantly, demand full transparency of your cloud providers supply agreements, and the safeguards they have in place to protect your sensitive data.