Gartner: Authentication systems are 'fatally flawed'

Security analyst Jay Heiser gives his take on the rash of UK public-sector data losses and explains why authentication systems aren't up to scratch

Since the HM Revenue & Customs data-loss debacle in November 2007, public-sector institutions have admitted to repeated, serious breaches of security, with reports regularly emerging of data being compromised by the loss of unencrypted laptops, discs and memory sticks.

The consequences of such data breaches for companies can be dire. Following the loss of a memory stick containing the confidential details of all prisoners in England and Wales, PA Consulting this week lost its £1.5m contract with the Home Office to administer the JTrack prisoner-tracking system. talked to Gartner security analyst Jay Heiser about the recent spate of data losses.

Q: What is your view on the rash of data-loss reports by the UK government since November?
A: It's always happened; there's a propensity for data to leak. Plug-and-play devices encourage more and more data to walk out the door. This is the latest variation on a theme that goes back to the 1950s. However, office copying machines don't allow you to steal or lose data on an industrial scale.

The UK government has been pilloried lately for having allowed data to leak out of the door, but at least they are being honest and upfront about having lost it, and it shames everyone into doing a better job.

Is that the case in the private sector as well?
In the private sector, it's a bit mysterious how much data goes out of the door. You can put gigabytes of stuff on a stick that anyone can afford. It's the nature of data; some amount will leak and, with today's technology, that could be large amounts.

You live in the UK. Aren't you concerned about your government-held data, especially that involved in projects like the ID cards scheme?
I'm a little concerned about that. As a dual national, I have the worst of both systems. I have a [US] social-security number, and that can be lost. Bank-account information is especially sensitive.

But we're concentrating on protecting something that shouldn't be secret. The problem with the tax authorities — whatever they're calling themselves this year — is that national-insurance numbers, like social-security numbers, act both as identifiers and as means of authentication. The problem is that knowing a bank-account number enables you to hack the bank.

So what you're saying is that banks are using non-secret means to authenticate people?
Exactly; the credit-card system is fatally flawed. The information needed to verify a credit-card transaction is the same information used to identify the credit card, but that information can't be kept secret. Credit-card granters don't suffer the consequences when things go wrong, as Ross Anderson [of Cambridge University] says.

What is your view of software as a service and cloud computing? Is it a radically different approach or just software companies rehashing their old products online?
I think it's a radically different approach. Companies are taking a long-term investment and turning it into a known expense.

However, there are significant operational risks. You've lost control [of your data] to a degree that you are not capable of knowing, which people tend to gloss over. Increasingly suppliers are not running the hosts. You can't know where the data is, what country it's in or who has access to it.