Facial Recognition for Access

Facial Recognition Software
Access Granted Credit: Wired

One of the slight annoyances in my work, entirely my fault, is leaving my access pass somewhere else, and having to wait for a friendly colleague to tailgate. How do they ensure who I am? Facial recognition of course.

Of course this is embarrassing at best, and in remote offices can be frustrating at worst. Often I’ll have to sign for a Temporary Pass to get into an office.

Insecurity Through Scale

Then there’s the ridiculous number of systems, even within an Enterprise, that don’t use SSO (Single Sign On). The number of websites have a login for numbers in the hundreds.

Which is one reason the iOS fingerprint reader is so powerful. It’s two factor, combining something I have (the iPhone) with something I am (the fingerprint) to authenticate me to any number of systems, and shortly, payments.

But there are times, most times actually, but let’s keep it to handsfree times, when you need authenticated access to information and you don’t have the time, or the means, to type in a password or touch a finger pad. Let’s say you’re a doctor treating a patient, or a harried traveller checking in for a flight.

Facial Recognition

Facial recognition is no longer the stuff of dystopian Sci-Fi movies. As an industry, border protection, police, and security services have been using this for well over a decade.

And with the power of Moore’s Law, the compute power you need to process a face accurately is well within the reach of consumers. Even for large set recognition, we have technology that does a good job of recognising customers for focussed concierge.

Just look how accurate Facebook is at suggesting a name tag for photos you upload to the site.

It won’t be long before passwords (at least typed ones) and access cards are a quaint footnote in history.

What does this mean for Trust, Privacy, and Personal Liberty?

What Company Data Are You Storing On The Cloud (against policy)

Photo-20160313162940805.jpgAh Dropbox, that awesome tool. Like all good tools it “just works.” And it works better than the vast majority of the enterprise solutions like Citrix Sharefile, Microsoft OneDrive (I won’t begin to mention Sharepoint – oops, I just did), even Google Drive.

Which is why most companies I work with are battling the rising tide of employees flagrantly ignoring security policy and syncing their files across devices on this public cloud service. This has become so prevalent that at least one large bank I work with has adopted Dropbox for Business.

Their rationale is that employees can use a tool they’re familiar with and already like; one that works seamlessly across devices; yet IT can ensure authentication policies, and manage the flow of data according to classification.

So when a colleague asked me about my compliance to HPE corporate policy, I pointed out that I use the corporate file sync tool for all my work files, previously Citrix Sharefile, now MS Office365 OneDrive, and I use Dropbox for purely personal files.

“Oh,” he replied innocently, “what do you use for your notes?”

Which is where he struck me dead.

Indeed, for the last 7 years I’ve been using Evernote, a public cloud service, for all of my notes, both work and personal. Actually, not only for notes, but for business cards too, which represents suppliers, partners, and customers. And for whiteboard photos, and directions to company and customer sites. For all sorts of company information.

Technically this is against company policy, although it’s unlikely a hacker will get much of value from my Evernote file, even if they could decipher the notes.

But in a world of increasingly blurred lines for work and home technology, which company policies are you breaking?

In IoT You Cannot Know The Value Of Your Data

At the recent AIIA Navigating Privacy and Security Summit Mike Burgess, Telstra's CISO, mentioned 5 key principles to adopt when talking cyber-security to the business.

Principle #1 is: Know the Value of Your Data

That makes sense, right. This is a good place to start. In fact, probably the only place to start. How can you even begin to determine how much to invest in security without knowing the value of your data?

This is the principle that made Locksmiths the oldest guilded profession (and 2nd oldest profession). As soon as people had something of enough value to be stolen (gold), technology was developed to protect it (chests, locks, castles).

And it's also true that few organisations even know the data they have, let alone it's true value. This is the principle that has led to the “Egg Shell” security paradigm. Assume everyone outside is bad, inside is good, and put a big (fire)wall between the two. Secure the perimeter.

It's long been known that this strategy is flawed. I was teaching “Defence in Depth” IT Security Courses for Windows 2003 Server as a Microsoft consultant over a decade ago. Most breaches are from trusted parties (i.e. with access to the inside) or social engineering of the trusted parties. Not to mention that with access devices now living in people's pockets (and on their wrist) and compute delivered from the cloud, there is no perimeter.

Still there is little corporate knowledge of the data that flows through an organisation, let alone its value. So defining and understanding the value of your data is a great starting point.

But I would argue that with the advent of the IoT, you will not possibly be able to know the value of your data…

…Because that value changes.

Let's take the value of whether your house lights are on or off. Right now, there is no, or little value in this data. But connect all of your lights to the Internet, and suddenly there's a raft of value, some instrumented, some inferred:

  • How much electricity you're consuming.
  • What time you awake, and go to sleep.
  • How much sleep each person in your house gets.
  • How your footy team is doing (you may program the lights to change colour on scored goals)
  • New Social Media followers
  • How much electricity your lights consume.
  • Relative to other houses in the street.
  • How much power will be needed in a suburb for given weather, time, and traffic events

None of this data is relevant now, but immediately gains value as we connect these appliances to the Internet. And as we connect more devices, appliances, this increases exponentially. And that's just in the home, let alone the enterprise, farms, roads, cities, mines, aircraft…

The network creates this emergent value of data. Essentially this conforms to Metcalfe's Law, that states:

“The value of a [telecommunications] network is proportional to the square of the number of connected users of the system (n2).”

A New Paradigm

So a new paradigm emerges. In the old days those that truly understood the value of their data put in place appropriate security for just that data. Those that didn't just attempted to protect everything.

But just as you cannot predict the emergent value of data (and meta-data), so also no-one will have the resources to protect the scale and complexity of the IoT with the same approaches as before.

We need to look elsewhere to resolve this.

So the exam question is: “Where are other networks of incredible value, and what systems are in place to detect, identify, and protect against threats to these networks?”

And the first principle becomes:

“Implement a reslient security system that automatically extends to the emergent value of your data as this emerges.”

How Much Are Your Memories Worth?

I have a friend, let's call him Xavior, who recently lost his laptop bag in a car break-in. In the bag was his laptop, with all of his photo's of his young family. All of the photos. They're all digital, and all stored on the laptop. And there were no other computers with these photos.

Yes there was a backup, in case the laptop failed. This was stored on an external USB Hard Drive, that unfortunately was in the same laptop bag.

You can imagine how crushed Xavior is. Tragic. As he put it, “This is not about replacing the stolen laptop. I hope the thief is happy with all of our only memories of our children.”

Which leads me to ask (philosophically), “It's 2016, why isn't there a back-up in the cloud?”

To which the most common answer is: “The 'free' accounts aren't big enough for all my data, and I can't afford a premium account.”

Of course there are other answers, e.g. “I don't trust my personal photos on a Public Cloud Provider that could be hacked.”

So here's a couple of questions:

1. How much would you pay to retrieve your data?

Let's say you couldn't access your photos because of a computer failure, or a corrupted SD card. How much would you be willing to pay to retrieve the information? Chances are, if these were your only memories, this would be a very high figure.

More than you would pay for backup sw.

In fact, quite apart from synchronised drive providers (Box, Dropbox, OneDrive, GoogleDrive) that have a freemium account model, you can get CrashPlan from Code42. For Free. This will automatically back up all the files on your PC or Mac (or Linux box) daily. If you want you can attach a HDD to your computer, do a full backup. Then plug this HDD in a friends computer on the other side of the Internet, and your files will autormatically backup to this drive. Daily. For Free.

If you want to add continuous backup, plus unlimited cloud storage, plus mobile phone access, this will cost you a whopping $5 per month.

So I ask again, how much are the thousands of photos worth? $60? I'd say so.

2. What is More Secure?

What is more secure? Duplicate copies in a public cloud provider that could potentially be hacked? Or, all of your valuable information on a physical machine?

With regard to hacking: It is extremely unlikely that anyone is going to hack you. Period. Unless you're a celebrity that has saved naked photos. Are you? Have you?

I thought not.

But even then, your HDD crashing, or your laptop failing, or your car being broken into? Those are far more likely events.

Actually if I was to glean valuable information from you (which doesn't include your photos) I would hack your home computer a long time before hacking a Public Cloud Provider.

Seriously, the cloud is more secure than your PC at home.

3. Why Do We Think Everything Should Be Free?

This is my big question for today. For some reason there seems to be a “everything should be free” culture.

  • I'm willing to create a personal website of all my photos and videos and thoughts and events, but I'm not willing to pay for this website.
  • I'm willing to download apps or songs or movies as long as they're free.
  • I think it's ok to synch my files on a cloud service for free as long as I don't have to pay anything.

You Always Pay

As Xavior found out, you always pay for security. Either before disaster strikes, or afterwards. Afterwards is always more expensive.

This is true for other 'free' services. We actually pay far more for them than a financial sum. Our attention (time) is far more valuable than the $10 per month it would cost to host your own website. Your email address is far more valuable to a marketer over time, than the $100 for a 'free' report.

Take Action

Put in place a process to automatically backup your important files. Pay for a Dropbox subscription (that boosts you from 2GB to 2TB), so everything is just synchronised, securely.

Or a MS OneDrive, or a Google Drive, or S3 on Amazon Web Services

Or Crashplan. Which, again, you can implement for a daily, remote, automatic backup for free!!

And the next time you sign up for a 'free' account, take a moment to figure out just what you're actually paying.

Recovery

I suspect for Xavior all is probably not entirely lost. There'll be photos posted to Facebook, and Twitter. No doubt some were emailed to family and friends. Then there's photos others took that will be both online, and offline on home computers. Perhaps even some left on the Camera.

I rather suspect there won't be anywhere near as many photos, but it probably won't matter. The curated collection will be just as valuable. Consider this an unplanned editing event. Based on the premise that all the best shots where shared already.

Protect yourself.