IBM Says That Multi-Tiered Security Is the Need of the Hour

Security and privacy are both topics that have been gaining in importance of late, and it's a trend that makes sense as more of our lives migrate to the Internet. But getting people to use good passwords and follow strong security protocols remains a challenge. IBM - among other companies - has studied this problem and has worked on a report to figure out what the future of accessing identity online is going to be. Gadgets 360 chatted with Kartik Shahani, Integrated Security Leader IBM India and South Asia, to learn about the study.

"The study was to understand how data breaches happen, what is the unique way that people break and spoof identity?" Shahani explained. "The intent was to figure out, what IBM should do to be future-ready?"

Part of the problem isn't that there aren't enough security solutions at hand, he added, but rather that the correct use of security solutions is not taking place. "There is a whole bunch of technology to be used where appropriate, the way people will access information via the Web or mobile platform, and there are other technologies as well," he said. "These look at user based anomalies and give detailed response. Even the small things like the way you type and the speed at which you type or the way you move the mouse, is a form of multi-factor authentication that is not using biometrics."

According to the study carried out by IBM, security needs to rely on multilayered authentication options, rather than a single layer of security for all purposes. It adds that the security requirements for different kinds of data varies, and for this reason, a one size fits all approach - whether it's passwords, or biometrics, or any other form - is not going to work.

"There is a set of technologies used by people, depending on what you're accessing," said Shahani. "When the access is for financial transactions, companies and people are very careful about their IDs and passwords. When it comes to social media, it's a very different way of looking at it, where convenience is more important."

However, this in itself presents a cause for concern. Many popular services that house sensitive information, like delivery services, online shopping and dating apps, encourage users to log in using their social accounts. Therefore, if one of these social/ email accounts is compromised, there could be a domino effect on how many additional accounts may also fall into the attacker’s hands.

With biometrics, on the other hand, Shahani pointed out that the concern lies in privacy, and how that biometric data is collected and stored. Trusting organisations to keep biometric data secure varied greatly by industry, with banking leading as the most trusted, according to IBM. Forty-eight percent of people would trust a major financial institution the most with their biometric data, while only 15 percent would trust that data to major social media sites.

However, that doesn't necessarily lead to better security. "Security is all about multi-tiering. What slips through one tier may be caught by another tier, or another one," said Shahani. "Triaging is very very important in security. I don't think there is a silver bullet, so the trick to it is to try and have multiple layers of security triaged so it gets better and better at detection and response."

"Also, there isn't one technology vendor whose technology is used to do all things," he added. "Access control, Web interface, security could all be coming from different companies. So it's very difficult to say that it's completely covered at all places."

To that end, IBM suggests that risk based authentication is the correct approach to take for organisations. With risk-based authentication, the company explained, authentication attempts are automatically evaluated based on contextual data and behavioural cues determined by administrators. When risk scores are elevated, the system can prompt the user to prove that they are who they say they are via an additional factor, which could be a biometric or another mechanism of choice.

"So what happens is, depending on the criticality of the application, you will grade it and depending on that, you will do a step up authentication," Shahani explained. "You may just use a user-name and password, for the next level ask a question, next level biometric, and so on, adding complexity, to allow you to get access. When it comes to financial sites, people will use the highest level of authentication, for the simple public domain stuff, people will use only the basic stuff."