Physical Vs. Virtual Security: No Contest
For users and vendors, recycling such authentication technology could prove to be a real cost saver, says Ksheerabdhi Krishna, technical adviser for digital security provider Gemalto, maker of smart cards, subscriber identity module chips, electronic passports and tokens. "The challenge for us is to make use of what already is issued and have it fit in with some other technologies," Krishna said in an interview with GovInfoSecurity.com (transcript below).
Krishna holds a Ph.D., in computer science and engineering from the University of New Mexico. Krishna was a principal member of the team that engineered the first Java Card in 1997. He has since been active in the domain of smart cards with numerous publications and patents related to this technology. Krishna has been an active member of the Java Card Forum Technical Committee and the InterNational Committee for Information Technology Standards Technical Committee M1 on Biometrics.
ERIC CHABROW: Please take a few moments to tell us about the research going on at Gemalto. What is in the pipeline that might change the way organizations secure their digital assets in the next six months to year or two?
KSHEERABDHI KRISHNA: We have a fairly broad agenda on research in government and we're just going to focus three important areas. We have experts in cryptography, so we're looking at cryptography as very key enabling area; we have cryptography protocols and algorithms and just different ways of actually encrypting, signing and so on additional information.
And we're looking at user-centric identity. Gemalto makes devices that secure the end user and it is what is sort of what's unique about Gemalto, so it is very important for us that this technology that we make for security venues is easy to use and that the users are at the center of that experience. So we look at user centric-identity from a use and convenience prospective as well as from IT management protocols, and we make as you know smart cards and we actually call them more broadly security devices. We are researching different kinds of security devices that can complement our you know increasing the digital lives and smart card as I mentioned earlier, but things like secure USB tokens and badge holders that can complement things like smart cards and other kinds of devices like readers and things that actually complement the end user for providing security services.
We also do a whole bunch of stuff around mobile technology in terms of why they need the enabling piece in the mobile ecosystem, UICC, more commonly known as the SIM card, and we do a bunch of stuff that those three, cryptography, user centric-identity and security devices are some of the areas that we are actively focusing on.
CHABROW: How are these technologies evolving and what kind of things will the users notice in a year or two that they don't notice now?
KRISHNA: I refer to them as complementary technologies, in the sense that there is an entire ecosystem of usage. These technologies actually complement end-user ecosystem and the evolution is actually from, as you probably seeing and you hear a lot about from, personal computing and getting enriched by another complement, which is having your data and your computing activity take place in the cloud. You know, the problems are different and the solutions that you see may need some different ways of actually thinking about as for solving.
CHABROW: How organizations secure IT in some ways is also a personal responsibility of the individual user, is that correct?
KRISHNA: Yes. To look at how we have evolved over time, we used to have desktops systems, where you came in and you did your stuff in your office and all the aspects of you working and securing your work went along with that. We now carry pretty much our work with us, laptops, notebooks; it's pretty dominant now where you carry your work. There is also this thinking about, well you know, this is good, this has actually empowered up quite a bit, the fact that we have access to our stuff from anywhere anytime in a sense, but we are still carrying this device. Along with that came the responsibility of you making sure that your data was protected, that your data was taken care of, because some of it was your data, some of it was the corporation's data that you work for. But convenience is still a very important thing. Now, as we try to look at some other ways where we can work where you have all of this data now seeking elsewhere, now increasingly access to data is even more critically important. It is very convenient because you have access to it anywhere but it is important that it is only you that has access to it and now anybody else.
CHABROW: Let's talk a little bit about that. When you say only you have access to that, we're talking about things like authentication correct?
CHABROW: So what's changing about authentication?
KRISHNA: Two things, it's becoming increasingly important as to the way you authenticate in. We've always had a lot of user name and password and this has always been a problem. People are becoming more aware that alone will not do, and often you will see a lot of traditional systems that were just using user name and passwords in say a browser ... as well complementing it with other two-factor style techniques, like one-time password. Getting your additional representation of yourself, your digital credential woven into this authentication is also becoming increasingly important because, like I said, you have now only part of your information out there and you want to make sure that it is only you who can get it, and one of the best ways to do that is to use a digital security technology like is provided with smart cards where you have a credential that represents you and you have a whole bunch of protocols and infrastructure that most other plans for that credential as you and unlock the doors that you need unlocked to get to your stuff.
CHABROW: Does that technology already exist?
KRISHNA: Some of this technology already exists, and some of this technology is more geared toward the personal computing environment and the things that need to be worked out as how they translate well to the web and the cloud environment.
CHABROW: So, in other words, there are technologies as you say that deal with these two-factor authentications you were just referring to that works well with PCs and internal systems, but you are saying that there are still challenges out there to make them effective in cloud computing?
KRISHNA: Yes, there is always room for improvement; there are always ways we can do this better. Even if you look back in the PC stage, some of the work that we have done here as you know how to simplify access to your credentials through the software stack that is made available by the PC maker, and that has been an interesting journey, very technology heavy. By the time you solve the tough problems, you sort of end up forgetting that, okay hey, there is a user there who will have to actually go through some of these hoops. What we have done is consciously seen how we can simplify it, just not only with us, but with partners and the industry to see how we can set forth some standards that would make that experience easy. It has gotten much better. You have software that is sort of plug in play from a user perspective, insert a smart card, what ever software is needed for it to come online. It is this kind of ease that we think is very important that we need to bring to the cloud story. One-time password, as you mentioned, is also one of those technologies that have been going from the different sort of time-based, one-time password to something more like old have it standardized have it easily available, have the infrastructure that is able to accept it. These are things we have been working on. We continue to work on to make that easy.
CHABROW: Where do you see the evolution of identity management heading?
KRISHNA: Identity management has evolved from something that is mature in the enterprise, whether it has been lots of standards like, from the old good days, something called Liberty Alliance that has hung in implementations and enterprise. Where it is headed for the past three years and headed more aggressively because of initiatives like NSTIC, the National Strategy for Trusted Identity in Cyberspace, which is an initiative from their administration to bring these topics of real identity and security and privacy to the forefront, knowing that these are real problems people have. Identity management moving from the enterprise to the end user in a more broader perspective, and this is coupled with a lot of activity that has happened on the Internet in the open-source community in the community in general around easier ways people can actually authenticate into their accounts. You have technologies like OpenID, you have technologies like CardSpace, basically, simple end user base identity management technologies that let people who don't know a whole lot about all the intricacies of it, but have easy access. There is now a lot of funding that is available for people who actually do this stuff using good standard protocol and connect them. Things like Facebook Connect, at least 500 million people are users out there that know how to use it, but the technologies behind that are pretty sophisticated and you know they are all well recorded in grounding some really good research.
CHABROW: Anything else you would like to discuss?
KRISHNA: One part of what we think about is: How do you secure access to the cloud? The other one is how do you secure access to your own data, which again you carry around with you in your person, conveniently and be form factor for that sort of a USB sticks. We have taken USB token and you carry your data with it and it's becomes increasingly important to make sure that what you're carrying if you misplace it or accidently lose it somewhere that it is safe. You know we come up with over the years some we've come very interested in devices that actually bring the security of smart cards to the traditional USB master-rich device. It not only solves the problem of your data being protected, it also enables other possibilities because now that you have a smart card you can also have your digital certificate in it. And you can do more stuff with it, and you could sign documents or you could encrypt things not only on your device but also maybe in the cloud. This kind of combination makes also an interesting family of devices.
CHABROW: If you are a CISO of an organization and you're giving your employees these kinds of devices, what are the management challenges from the CISO perceptive?
KRISHNA: The management challenges are first to make sure if indeed these devices to get misplaced, how you can insure that if there is any data it has to be backed up some place. One of the challenges is bringing this culture of, okay you're going to put some data for convenience, well we have to make sure that there is some accountability of that data. The other challenge is the end point that out of that enterprise you have to make sure that only that kind of devices, a device with certain security property, can connect to the end point social enterprise. Then the challenge of actually issuing those devices, finding those devices to a user and having a whole technique of managing a life cycle of getting that device to you, and when you leave us as you know move to another part of the organization or give the organization when you give that device back, putting it back into the pool for circulation. So these sorts of things are the challenges.
The U.S. government has been at the forefront of actually just getting this technology deployed and used, started with what was called the common access card and is now converged with a program called PIV, personal identity verification, and there's a whole it comes out of the HSPD12 initiative from the government, as well. You have standards on banking, you have standards around things like securing access things for transportation workers or first responders programs. And, of course, the ultimate representation of the passport ID; the passport is now an electronic password, which is not just some print but along with it some digital representation of you. These are all actually standards, and they work not only for you, but they work across different countries that you might visit.
CHABROW: Phillip Reitinger, the deputy undersecretary of Homeland Security, before Congress earlier this year, when asked about separating physical security from virtual security, said he felt they should go together. His rational was in part that the same technologies that can be used in passports or can secure facilities using smart cards and things like that can also be used to secure data in the virtual world. What do you think of that?
KRISHNA: That's a good point. I think NSTIC stuff is basically also very much in line with that statement. We have issued the identity, sort of speak, to people and so whatever it is that we build, what ever infrastructure we build for identity management should actually make use of these digital identities that we have distributed. The more conventional use is the physical access aspect. Coupled with that is what has already been issued, not requiring anything new because there is you know a huge costs involved in sort of getting people to move to something different. And the challenge for us, by the way, is to make use of what is already issued and have it fit in with some of the things that we have discussed already. Like how does that actually bridge to, say, OpenID, and we use already the identity that is issued for an OpenID settlement addition, like how will you do that? I think that is a very important point, because I think when you are going to ask or going to require people, holding you to fresh to be able to work with an infrastructure that is being proposed, the buy in and getting in to that is going to be that much more tough. That is a good point. That is how it should be actually.
CHABROW: Is that the way your company approaches things? When you look at technologies, are you looking for us to be accessing physical facilities versus virtual ones or do you see it being combined?
KRISHNA: We see that combining even with smart cards. You have contact smart cards and you have contactless smart cards, all standard based technologies so you have your combination cards and you have cards that have two separate technologies on them; you have a contact that calls you and a different contactless technology. It absolutely makes sense to have them combined, because you have different use cases that you address.