After collectively spending billions of dollars, perhaps a trillion dollars, on network security, corporations still have major security problems. Meanwhile, your ATM card allows your bank to dispense cash with confidence from a machine on a city sidewalk.
The technology used by your ATM card is more ancient than the floppy disk. So why are bank ATM networks generally secure, while corporate information networks, in spite of continuous investment in the latest security technology, are barely able to keep ahead of intruders?
Wes Kussmaul, author of Don't Get Norteled, claims that the difference is not about technology but about assumptions and architecture.
"Your bank's ATM network starts with the premise that knowing who you are is the foundation of security. If a trusted co-worker asked you to share your ATM card and PIN, what would you say? Of course, they'd never ask in the first place," notes Kussmaul, adding, "If that co-worker asked you for your network password, what would you say? In many companies, collaborative work gets done by sharing access credentials, in spite of rules against it."
Security experts work hard to assure us that their methods are working until those methods fail, when the emphasis shifts to excuses such as "no security is perfect."
Kussmaul notes that virtually all information security technology depends upon the ability to determine the intentions and character of the sender of a stream of bits. "Common sense should tell us that that is impossible. It's like asking your office building's lobby receptionist to determine the intentions and character of everyone who walks through the door. It only works in the case of an amateur attacker who lacks skills and funding. And those aren't the attackers you need to worry about."
"Failure to think that through has deflected attention from proven authenticity-based solutions.
As the founder of Delphi Internet Services Corporation, which was acquired by Rupert Murdoch's News America Corp., Kussmaul has been involved in the building and operation of secure file sharing spaces since 1981.
The subtitle of Don't Get Norteled, "Authenticity works where security technology has failed us" points the way to an entirely new approach to security. "Authenticity with a capital A is the condition that exists when all significant events are digitally signed by user-owned universal credentials based upon digital certificates of measurable reliability" notes the author.
Don't Get Norteled refers to the fate of the officers of Nortel Networks, a ten billion dollar maker of network equipment that went bankrupt in 2009. As the company was failing it was learned that the usernames and passwords of Nortel's top seven officers had been compromised for years by hackers apparently operating from the company's competitors in China.
