Archive for the ‘Data Privacy’ Category

SSN for authentication is all wrong

October 23rd, 2017 No comments

Unless you were stranded on a deserted island or participating in a zen digital fast chances are youve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didnt misuse our social security numbers, losing them wouldnt be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that Ive met in my travels, dont understand the difference between identification and verification. In the real world, conflating those two points doesnt often have dire consequences. In the digital world, its a huge mistake that can lead to severe impacts.

Isnt it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason its so hard for many of us to separate identification and verification is that historically we havent had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.

The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial drivers license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.

The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.

Who are you? Prove it!

This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.

Do you want your name to be private? Imagine meeting another parent at your kids soccer game and refusing to tell them your name for security reasons. How about: Oh your new puppy is so adorable, whats her name? And you respond, If I told you, Id have to kill you. Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.

We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, youd still have a heck of a time finding the right address wouldnt you?

Now that were clear on what the identifier is, we can enumerate a few aspects that make up a really good one:

  • Public
  • Unchanging
  • Unique

In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky how do you verify someone or something youve never met before? Ask them to- Prove It!

We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because its very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able toprovide verification of who we are to a number of entities, many of whom arent great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? Its: xja*21njaJK)`jjAQ^. At this point in time our fathers middle name, first pets name, town where we were born, school we went to and address history should be assumed public, using them as secrets for verification doesnt make sense anymore.

If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldnt change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?

So, with that in mind, youd probably agree that the best digital verifiers are:

  • Private
  • Easily changed
  • Unique

Your turn

OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think – Is your SSN a better identifier or verifier?

Categories: cybersecurity, Data Privacy, Tips & Talk Tags:

Securing the new BYOD frontline: Mobile apps and data

With personal smartphones, tablets, and laptops becoming ubiquitous in the workplace, bring your own device (BYOD) strategies and security measures have evolved. The frontlines have shifted from the devices themselves to the apps and data residing on—or accessed through—them.

Mobile devices and cloud-based apps have undeniably transformed the way businesses operate. But they also introduce new security and compliance risks that must be understood and mitigated. When personal and corporate apps are intermingled on the same device, how can organizations remain compliant and protected while giving employees the best productivity experience? And when corporate information is dispersed among disparate, often unmanaged locations, how can organizations make sure sensitive data is always secured?

Traditional perimeter solutions have proved to be inadequate in keeping up with the stream of new apps available to users. And newer point solutions either require multiple vendors or are just too complex and time-consuming for IT teams to implement. Companies need a comprehensive, integrated method for protecting information—regardless of where it is stored, how it is accessed, or with whom it is shared.

Microsoft’s end-to-end information protection solutions can help reconcile the disparity between user productivity and enterprise compliance and protection. Our identity and access management solutions integrate with existing infrastructure systems to protect access to applications and resources across corporate data centers and in the cloud.

The following Microsoft solutions and technologies provide access control on several levels, offering ample coverage that can be up and running with the simple click of a button:

Identity and access management

Simplify user access with identity-based single sign-on (SSO). Azure Active Directory Premium (Azure AD) syncs with existing on-premises directories to simplify access to any application—even those in the cloud—with a secured, unified identity. No more juggling multiple combinations of user names and passwords. Users sign in only once using an authenticated corporate ID, then receive a token enabling access to resources as long as the token is valid. Azure AD comes pre-integrated with thousands of popular SaaS apps and works seamlessly with iOS, Android, Windows, and PC devices to deliver multi-platform access. Not only does unified identity with SSO simplify user access, it can also reduce the overhead costs associated with operating and maintaining multiple user accounts

Secure and compliant mobile devices

Microsoft Intune manages and protects devices, corporate apps, and data on almost any personal or corporate-owned device. Through Intune mobile device management (MDM) capabilities, IT teams can create and define compliance policies to meet specific business requirements, deploy policies to users or devices, and monitor device and/or user compliance from a single administration console. Intune compliance policies deliver complete visibility into users’ device health, and enable IT to block or restrict access if the device becomes non-compliant. IT administrators also have the option to install device settings that perform remote actions, such as passcode reset, device lock, data encryption, or full wipe of a lost, stolen, or non-compliant device.

Conditional access

Microsoft Intune can also help reinforce access protection by verifying the health of users and devices prior to granting privileges with conditional access policies. Intune policies evaluate user and device health by assessing factors like IP range, the user’s group enrollment, and if the device is managed by Intune and compliant with policies set by administrators. During the policy verification process, Intune blocks the user’s access until the device is encrypted, a passcode is set, and the device is no longer jailbroken or rooted. Intune integrates with cloud services like Office 365 and Exchange to confirm device health and grant access based on health results.

Multi-factor authentication

Multi-factor authentication is a feature built into Azure Active Directory that provides an additional layer of authentication to help make sure only the right people have the right access to corporate applications. It prevents unauthorized access to on-premises and cloud apps with additional authentication required, and offers flexible enforcement based on user, device, or app to reduce compliance risks.

To learn more about BYOD security, download the free eBook, Protect Your Data: 7 Ways to Improve Your Security Posture


Microsoft achieves globally recognized ISO/IEC 27018 privacy standard

February 16th, 2015 No comments

Today Microsoft announced its continued commitment to further protect customers’ privacy by obtaining the globally recognized ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. This achievement is designed to help assure customers of all sizes, that their most sensitive personal data will receive the strong privacy protections detailed in this standard.

We know that our customers rely on us as their cloud service provider, to continually enhance security, ensure data privacy and manage compliance expectations. There are a lot of certifications to pursue; you can be confident we’ll cut through the clutter and focus on what’s important. Microsoft’s achievement of the ISO 27018 standard will ensure additional practices are put in place to help protect your data. For more details on this important milestone, please read Brad Smith’s blog.


Groundbreaking project assesses public cloud for a more resilient Estonia

February 4th, 2015 No comments

Cloud computing is increasingly inspiring organizations to rethink how they use IT to accomplish their goals. Around the world, we see cloud service adoption unlocking speed, scale, and economic benefits. Governments are taking note and following suit; Microsoft is helping them to use cloud services to create scalable, interactive citizen portals, collaborate more easily, deliver volumes of data to citizens all while reducing costs and ensuring the security, resilience and trustworthiness of the services they run in the cloud.

However, only rarely does a project come along that is as exciting and groundbreaking as the partnership we’ve recently had with the Estonian Chief Information Officer. In the process of this work, we evaluated public cloud services and assessed their role in meeting the needs of an advanced digital society and innovative government. The unique joint research project by Microsoft and the Estonian Ministry of Economic Affairs and Communications explored the possible implementation of a Virtual Data Embassy. A “data embassy” is a physical or virtual data center in “allied” foreign countries chosen by the government that stores data of critical government information systems and mirrors of critical service applications. In addition to examining domestic and international legal landscapes, the collaborative research project assessed two government services—the Estonian official legal records State Gazette and the President of Estonia’s website—and how they could both be migrated to, and hosted on, the Microsoft Azure cloud computing platform.

A number of interesting technical and policy questions were raised throughout the course of the research, which we are publishing today in a Summary Report. The report provides a detailed overview of the Estonian initiative, a summary of the technical, legal and policy research undertaken, and our findings throughout the research process. It concludes with eight recommendations that any government considering cloud computing is likely to find useful.

The joint research project established that the core concept of the data embassy is viable. However, technology represented the easy part of Estonia’s initiative. While online services today are robust enough to meet the volume and other needs of citizens’ digital interactions with governments, harder questions surfaced as we evaluated operational requirements to support effective migration to the public cloud and how states see sovereignty in today’s digital society. Certain laws or policies may need to be revised domestically or evolved internationally to ensure that cloud computing can support certain government functions.

I hope that more governments emulate Estonia’s groundbreaking and thoughtful approach to e-government, and consider how to best use cloud computing to bring services to their citizens. Governments must recognize the consequences of attacks on nation-state digital assets and how advances in technology can help ensure digital continuity. Finally, governments must be willing not only to recognize the inviolability of other governments’ digital assets, but also to work together to prevent attacks and to hold accountable those who commit them.

The Importance of Effective Information Sharing

January 29th, 2015 No comments

SCharney2 012815

This week, I testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs at a hearing on “Protecting America from Cyber Attacks: the Importance of Information Sharing.” It was good to see that the committee’s first hearing of the 114th Congress focuses on cybersecurity issues generally, and information sharing in particular, and I’d like to summarize the key points of my testimony.

There is no doubt that cybersecurity is an important issue for America, other nations, the private sector, and individuals. In an effort to better understand and help address the challenges we face, I regularly engage with government leaders from around the world, security-focused colleagues in the IT and Communications Sectors, companies that manage critical infrastructures, and customers of all sizes. From those interactions, I have concluded that cyber-attacks have joined terrorism and weapons of mass destruction as one of the new, asymmetric threats that puts countries, corporations, and its citizens at risk.

With global threats, global actors, and global networks, no one organization – public or private – can have full awareness of all the threats, vulnerabilities, and incidents that shed light on what must be managed. There is no doubt that sharing such information can and has protected computer users and increased the effectiveness of the security community’s response to attacks. For example, in 2009, the Conficker Working Group came together to share information and develop a coordinated response to the Conficker worm, which had infected millions of computers around the world. After the working group developed a mitigation strategy, Information Sharing and Analysis Centers (“ISACs”) were mobilized, company incident response teams were activated, government responders were engaged, and the media reported as milestones were reached and services were restored. The challenge was addressed, and quickly.

Why is it, then, that after 20 years of discussion and proof of effectiveness, information sharing efforts are viewed as insufficient? The short answer is that while there are success stories, it is often true that those with critical information are unable or unwilling to share it. They may be unable to share it due to law, regulation, or contract, all of which can create binding obligations of secrecy and expose a company to legal risk if information is shared. Even when those restrictions permit sharing pursuant to authorized exceptions, legal risks remain, as parties may disagree on the scope of the exception. There are also non-legal, non-contractual risks; for example, a company that discloses its vulnerabilities may suffer reputational risk, causing both customers and investors to become concerned. It may even suggest to hackers that security is inadequate, encouraging other attacks.

With all these challenges in mind, we believe there are six core tenets that must guide information sharing arrangements:

1. Information sharing is a tool, not an objective.

2. Information sharing has clear benefits, but poses risks that must be mitigated.

3. Privacy is a fundamental value, and must be protected when sharing information to maintain the trust of users – individual consumers, enterprises, and governments – globally.

4. Information sharing forums and processes need not follow a single structure or model, and governments should not be the interface for all sharing.

5. Government and industry policies on information sharing should take into account international implications.

6. Governments should adhere to legal processes for law enforcement and national security requests, and governments should not use computer security information sharing mechanisms to advance law enforcement and national security objectives.

Information sharing has and does work. But it works because the parties see that the benefits (better protection, detection and response) outweigh the risks. History also teaches, however, that information sharing tends to work best when those involved trust each other to respect informal and sometimes formal agreements (e.g., non-disclosure agreements) on information use and disclosure.

The two most important things Congress can do are (1) ensure that the information sharing arrangements that are working effectively are left undisturbed; and (2) encourage additional information sharing by providing protections for shared information and addressing risks posed by information sharing, including privacy risks.

You can read my full testimony here.

Data Privacy Day in a World of Cloud Computing

January 28th, 2015 No comments

Since 2006, some European countries have marked Data Privacy Day, initially to raise awareness. Today, privacy is a critical consideration to cloud computing. People will not use technology they do not trust, and data privacy is an important consideration in building that trust.

New technologies can make people question how their own information is controlled. As Brendon Lynch, Chief Privacy Officer mentions in his Microsoft on the Issues blog, Microsoft is putting you in control in three ways:

  • Building privacy into products. We design and build products with security and privacy in mind, from our software development processes to using best-in-class encryption to protect your data. These steps are critical to keeping your information safe from attacks.
  • Building privacy into policies and practices. Putting you in control means offering transparency, starting with company policies that provide simple and easy to understand explanations of how your personal information is used and stored on Microsoft’s platforms.
  • Advocating laws and legal processes that keep people in control. We require governments around the world to use legal process to request customer data. We have challenged laws to make privacy protections stronger. And we advocate for better public policy to balance privacy and public safety.

Microsoft takes a principled approach to building trust in the cloud focusing on Cybersecurity, Data Privacy, Compliance and Transparency. Data Privacy Day is an excellent time to evaluate privacy within your own organization.

Categories: Cloud Computing, Data Privacy Tags:

Putting Information Sharing into Context

January 27th, 2015 No comments

Putting Information Sharing into Context: New Whitepaper Offers Framework for Risk Reduction

The nearly incessant drumbeat of cybersecurity incidents over the past weeks and months has brought about renewed interested in information sharing across the technical and political spheres. For example, earlier this month the White House proposed legislation to encourage information sharing which President Obama also referred to in his State of the Union address. When it comes to cybersecurity, the right information exchanged or shared at the right time can enable security professionals and decision makers to reduce risks, deflect attacks, mitigate exploits and enhance resiliency. In this case, forewarned really can mean forearmed.

Information sharing is not a novel idea. A number of initiatives around the world have been in place and working successfully for some time. For example, here at Microsoft we have a program in place that gives security software providers early access to vulnerability information so that they can provide updated protections to customers faster. From this and other programs of various sizes we have learned that despite the increased focus on collective action from both private practitioners and policy makers around the world, effective information sharing is not an easy undertaking. It requires clear definitions and objectives rather than solely words of encouragement, or mandatory requirements. Furthermore, it is all too often viewed simply as a goal in and of itself rather than as a mechanism for improving security, cybersecurity assessment, and risk management. Finally, and from the public-private partnership perspective most pressingly, information sharing can quickly expand into controversies involving originator control, trust, transparency, privacy and liability.

To help put this complex issue into context, today we are releasing a new white paper: A framework for cybersecurity information sharing and risk reduction. Leveraging Microsoft’s decades of experience in managing security for our products, infrastructure, and customers, the paper provides a taxonomy for information exchanges including types, actors, and methods. We believe that understanding how to incentivize information sharing and how to better harness the practice for risk reduction can help move policy and strategy debates forward and support better defence of cyber assets and infrastructure. The paper concludes with a discussion of best practices and seeks to lay the groundwork for a more formalized, collaborative approach to information sharing and implementing exchanges through a set of recommendations. I hope that it can serve as a relevant and timely guide for anyone with responsibility for developing new ideas and solutions for information exchanges.

Information Sharing Infographic

Six Proposed Norms to Reduce Conflict in Cyberspace

January 20th, 2015 No comments

Last month, my team launched a new white paper, “International Cybersecurity Norms, Reducing conflict in an Internet-dependent world” at the EastWest Institute’s 2014 Global Cyberspace Cooperation Summit in Berlin. In the paper we explained the unique cyber risks posed by nation states’ offensive activities, and how these risks could escalate – perhaps unintentionally – to catastrophic consequence. Our goal was to outline the risks faced by society, and propose six cybersecurity norms that nation states can consider for reducing risk in cyberspace.

The framework we propose for developing norms evaluates various actors in cyberspace, the objectives those actors are seeking to advance, the corresponding actions that could be taken, and, finally, the potential impacts that can result. Governments, often among the most advanced actors in cyberspace, can take a multitude of actions in cyberspace, both offensively and defensively, to support acceptable objectives. These actions and their resulting impacts, both intended and unintended, can precisely support defined objectives but can also advance one generally acceptable objective while simultaneously challenging another. In many cases, societal debate is not about objectives, such as degrading or delaying the spread of nuclear weapons or preventing terrorism, but whether the actions that can be taken—and the impact of those actions—are acceptable. With this framework in mind, when developing cybersecurity norms for governments, we can focus on discussing acceptable and unacceptable objectives, which actions may be taken by governments, in pursuit of those objectives, what the possible impacts are, and whether they are acceptable for a civilized, connected society.

Cybersecurity norms should be designed not only to increase the security of cyberspace but also to preserve the utility of a globally connected society. As such, norms should define acceptable and unacceptable state behaviors, with the aim of reducing risks, fostering greater predictability, and limiting the potential for the most problematic impacts, including (and in particular) impacts which could result from government activity below the threshold of war.

Cybersecurity norms that limit potential conflict in cyberspace can bring predictability, stability, and security to the international environment. With a wide acceptance of these norms, governments investing in offensive cyber capabilities would have a responsibility to act and work within the international system to guide their use, and this would ultimately lead to a reduction in the likelihood of conflict. In many cases the norms are either rooted in principles not dissimilar from those governing the Law of Armed Conflict, or derived from international best practices currently employed globally by the Information Communication and Technology sector.

The following norms, and the framework, used to build them, enable states to make choices that appropriately balance their roles as users, protectors, and exploiters of cyberspace.

1. States should not target ICT companies to insert vulnerabilities (backdoors) or take actions that would otherwise undermine public trust in products and services.

2. States should have a clear principle-based policy for handling product and service vulnerabilities that reflects a strong mandate to report them to vendors rather than to stockpile, buy, sell, or exploit them.

3. States should exercise restraint in developing cyber weapons and should ensure that any which are developed are limited, precise, and not reusable.

4. States should commit to nonproliferation activities related to cyber weapons.

5. States should limit their engagement in cyber offensives operations to avoid creating a mass event.

6. States should assist private sector efforts to detect, contain, respond to, and recover from events in cyberspace.

Download the paper to learn more about these proposed norms for cybersecurity.