Traditional identity systems are the new battleship row
In 1941, the US Military was trying to save on security costs by mooring its battleships close together while they were in port. Aircraft were also parked neatly in rows. Many of the most valuable assets of the Pacific Fleet were all centralized in one convenient spot that was well organized, easy to find, and therefore easy to attack.
On 7 December 1941, a date that will live on in infamy, that is exactly what happened.
The US military learned some things from this. That is why aerial views of Air Force Installations built during the Cold War show that aircraft are parked in Hardened Aircraft Shelters (HAS) which are not centrally located, but instead scattered around everywhere. Now the Navy rarely keeps multiple important vessels in port simultaneously, and they are never docked or moored in a way that would make them an easy target.
During the Cold War era nuclear arms race, missile silos constructed by each nuclear power were intentionally spread out across thousands of miles. Clustering them all in one spot would have made them far more convenient to operate, to maintain, and to defend on the ground. But that would also have made them a simple target for an enemy nuke, which could wipe out everything within miles and reduce the capability to retaliate.
Distributed things are hard to attack, especially if they're concealed behind various layers of protection, like camouflage, concrete, steel, or encryption. Yet somehow, despite the cyber version of Pearl Harbor happening time and again, few people seem to be learning this lesson. Companies like Equifax and Orbitz collect sensitive data, then neatly line it up like a row of battleships, because 77 years later, people still haven't learned. While centralizing data might make it more convenient to access, it absolutely makes it more difficult to protect.
In an effort to protect centralized data, many organizations should consider encrypting databases in a distributed way. With distributed database encryption, teams can break decryption in to multiple pieces to reduce vulnerabilities from the crown jewels remaining all in one spot. Data security precautions won’t count for much if weakly protected encryption keys and decryption holes continue.
Teams have also tried to layer multi-factor authentication--SMS verification, email confirmation, etc. -- over human readable credentials like usernames and passwords. Unfortunately, multi-factor authentication can still create vulnerabilities like man-in-the-middle attacks or risks from the wrong party reading and using exposed usernames, passwords or other readable credentials. Moving forward, logins should use the right factor for authentication, which could verify users by unique token, ID card, randomly-generated QR codes or other methods only authenticated computer-to-computer.
The use of tokens, ID cards or some other item a user physically has also ensures that a hacker can’t break through using only digital means. It also assures that information can be accessed by the sole party that has original permissions. This right-factor authentication approach can also support secure universal identification (SUID). Several agencies have taken steps to tie drivers’ licenses, passports and other official documentation to universally identify a single person across databases and systems, which ensures ease and added security for both the organization and the person.
As a means of stopping billions in annual losses due to fraud associated with government entitlement programs (among a myriad of other problems), the U.S. is interested in building a physical wall at one of our borders to keep the bad guys out. But in our increasingly digital world, it won't work any better at keeping hackers out. People don't need to be on U.S. soil to steal from the economy, they just need an internet connection and for us to continue our predictable pattern of poor security practices. Moreover, because we're not using an SUID system, the bad guys could simply buy counterfeit passports or other falsified authentication and go right on through the wall at a security checkpoint.
The battleships destroyed in Pearl Harbor were obsolete by the time they were attacked -- just as human readable credentials like usernames and passwords are obsolete now. Unlike battleships and walls, aircraft played an important role in winning WWII, just as right-factor authentication, distributed data storage, and secure universal ID could someday win the cyber war.
Perry Chaffee is the vice president of strategy for WWPass, where he leads company strategy and product marketing in the company’s mission to battle identity theft and data breaches for governments and enterprises. Prior to joining WWPass, Perry held several roles within military cyber warfare and defense acquisition project management. Perry’s military expertise began with the Air Force Academy, where he earned his bachelor’s degree in legal studies.