Guest Post by Steve Watts, co-founder & sales director of SecurEnvoy
Businesses are becoming increasingly concerned with the amount of personal and company data that is available to government authorities. And with good cause; unbeknown to many business leaders and employees, it is possible for government organisations to access business data not only without having to ask permission from anyone in the company, but without anyone even finding out about it.
Ironically, data can often be accessed via the very security company that a business uses to make its data secure, e.g. a provider of hardware tokens or two factor authentication. Under the current laws, government organisations can request copies of specific secret keys, which businesses use to access their corporate data. However, the government can also request them from the authentication companies that automatically store copies of their customers’ codes when created.
Companies need to make sure that their information is secure. This is becoming increasingly difficult, especially when businesses have many remote workers all logging on to a company system from different locations, at different times. To ensure such security, many companies use authentication, the process of identifying a user before granting access to information, typically by a username or password. Two-factor authentication requires something that the user knows – which is the username and password – and a physical object that the user owns – which is either a hardware token (like the kind used to access online banking) or it can form part of an employee’s personal device (for example in the form of an app on a smartphone).
Authentication companies offer different methods to customers. Many of these companies manufacture and send pre-programed tokens with their corresponding seed records: secret keys that are used to create a series of digits on devices to be used as a method of authentication when logging on remotely. However, the pre-programed service has a fundamental flaw within the architecture of the authentication technology. As the secret keys (seed records) are generated prior to the customer needing them, and not on demand as end users enrol their phones, the authentication company is required to store customer seed records on file, which poses a significant safety risk.
As long as some authentication companies continue to hold these secret keys, governments can legally request copies of them and could delve into company data unbeknown to the business. With this method, users also have to store a seed record on their device; so what happens when the user’s phone gets passed on or lost? If the seed record is still on the device, then the individual’s corporate identity goes with it.
But it is the seed records stored by the authentication companies that allow other organisations to legally access company data. Different cases have brought cause for concern in recent times, from government authorities being able to access company data without the knowledge of company’s customers, to millions of seed records being compromised after a successful attack on the authentication company.
This level of security breach is completely unnecessary and can be easily avoided. It is possible to create seed records without the authentication provider needing to store them at all because the seed records can be split into two sections. Half of the record can be created when enrolling and only stored on the customer’s own server and user device; the other half is derived from the finger print of the user’s device and passed back to server at enrol. Each time a pass code is required by the user, the device decrypts the first part and then re-fingerprints the device to derive the second part. These seed records are only ever known to the local security server that resides within the customer’s own computer room and only part known to the end user’s device. Therefore, the authentication provider never even knows what the secret keys are.
By operating this way, authentication companies cannot give out copies of seed records to government authorities or any other organisations, because the records simply won’t be in their possession. This technology shouldn’t overwhelm business leaders. Put simply, it stops data breaches which can otherwise be easily achieved, and have catastrophic effects on a business.
If you liken this situation to a security scenario that everyone is familiar with, for instance home security, you can see how safe this technology is. Nobody would ever invest in a house alarm system and keep the pre-loaded code that the alarm comes with. Everybody resets the code so that they have a combination of digits which only they know, because it offers higher home security.
The reality is that there will only ever be more devices to access information on, so the need to protect company data and corporate identity is higher than ever. Businesses are right to be concerned about what data government authorities can obtain; but invest in the right security technology and this concern can be dramatically reduced. Failure to look into how the technology works could mean that you are paying for a security solution which isn’t actually secure at al