How much are we spending on airport security? How much have we already spent? Somewhere a bad guy is laughing so hard at this he’s actually peeing his pants.
Tag: Security
NYT on Airport Security
Two populations, two approaches
Andre over at Ping Identity has clearly been doing some heavy thinking. First, he connects internet-scale security and the continuing death of the firewall. Then, he raises the point that there are more identities outside the enterprise than within. The implication is that those external (Internet-based) identities are of real value to the enterprise; they are partners and customers. These external identities need to be “secured and tracked.” Two questions come to mind. First, do both populations require the same kind of identity management and services? At issue here is context. The context of a customer or partner is different from an employee. Yes, they may need similar identity services, but the manner in which they consume those services is context driven. This may lead to different sets of identity services, which must be centrally orchestrated and audited. Second, is the application tier really the best place to tackle these problems? I think the two different populations require different approaches. Companies needs to tackle inside identities from the network layer up. Why? Because people on the inside have greater access to the soft fleshy underbelly of the business. Even the most well intended employee can inadvertently cause damage once he’s on the enterprise network. Meanwhile, outside identities should be dealt with at the application tier as that is their access path to corporate systems.
Banks: Data breaches, info security, and risk – oh my!
Our marketing team recently completed a survey of IT types at banks and credit unions, asking about data breaches, identity theft, information security costs and risks. The survey uncovered some interesting results, especially regarding how they regard insider threats (very seriously) and the estimated organizational costs of a major data breach (more than you’d think).
With most of the security discussion focused on consumer banking (phishing, stronger auth of retail online banking), we were also intrigued by feedback about business banking customers. The majority of respondents agree that business customers demand greater security for Web and electronic banking services. They also agreed that business customers would be willing to limit access to certain services for specific users connecting from specific computers.
This is a departure from thinking on the consumer side — banks just can’t force individual users to log in from only one machine. (Even if logging in from another machine requires you to take and extra step, like answering a secret question.) Getting consumers to work with anything other than username and password is going to be challenging; this is one reason why I have so much hope for CardSpace. (I am tempted to refer to consumers as lazy but a) that’s not really accurate and b) they have been trained into their malaise.)
It may not fit for consumers, computer-based access control makes perfect sense for a lot of business banking services. As a business owner, I would probably only want authorized users from my accounting team to have access to payroll or wire transfer services, and only from known computers in the office. Or I would only want known POS systems connecting with my bank’s remote deposit capture servers.
We will be sharing the complete results of the survey on a Webcast October 10 and 1 p.m. EST, sharing the virtual dais with Tripp Johnson of Cornerstone Advisors (the guys behind the very amusing www.gonzobanker.com). More details and registration information here: http://www.trustednetworktech.com/webinar_banksurvey.asp.