Eric Vanderburg
The concept of identity is core to the protection of data. Data and other computing resources exist to be used by individuals, each of whom has an identity that is used to grant of deny access to such resources. However, identity is not limited to humans. Computer services also have an identity that allows them to interact with other services and data.
As humans, we understand identity as all the characteristics that are representative and unique of an individual and our method of validating identity comes naturally in the course of interaction. We recognize and associate these characteristics with a unique person and our ability to associate characteristics with a person increases with our exposure to the individual. Exposure does not need to be direct, such as spending time with them, but can be gained indirectly through activities such as reading or talking about them or seeing them on TV. This is why some persons are more easily recognizable than others. Consider how you recognize the touch of a loved one or the voice of your mother whereas a former acquaintance’s name may be unfamiliar to you, even when encountering them face to face. Similarly, popular personalities such as actors or politicians are easily recognized by each of us even if we have never met them personally. Similar methods are used to build trust. You wouldn’t let a stranger borrow your car, but this might change as strangers become friends.
Computers, likewise, can use a variety of characteristics to validate a claimed identity but the methods of recognizing that identity differ from humans. Users validate their identity to a computer by claiming an identity and then providing credentials to back up that claim in a process called authentication. For example, a username claims an identity while the correct corresponding password validates it.
However, there are several important distinctions between the identification that occurs on a computer system and identification between persons. Computers have an advantage over humans in that they do not forget user identities over time but their methods of identifying a person are much more limited. Whereas a human can use hundreds of characteristics to make an identity and they can associate a different set of characteristics with different people, a computer system typically only supports a few very structured methods of identification. The most familiar method of authenticating to a computer system is the traditional username and password, but other methods such as fingerprints, facial recognition, proximity cards and secret questions can also be used.
There are further distinctions between computers and humans in terms of trust. Humans trust an individual based on their experience, knowledge and interactions with the individual, but computers trust an individual only as far as the user’s permissions dictate. Permissions determine how an identity can interface with data including viewing, modifying, creating or deleting it. Other permissions might allow a user to issue commands to a computer system, run a program, or utilize a service.
Mitigating computer-based identity weaknesses
Both human and computer identification systems suffer from inherent weaknesses. A computer’s limited methods of identification and the structured method used to evaluate identity make it relatively straightforward for an individual to programmatically exploit these methods and fraudulently authenticate. These characteristics are also an advantage since a computer will always stick to the rules and enforce the identity requirements for an individual when identity systems are implemented properly. Computer weaknesses are commonly exploited through credential cracking, credential theft, and the exploitation of authentication system vulnerabilities.
The overly simplistic solution to the problem would be to combine the advantages of both systems together. However, this does not work well in practice. Multi-factor authentication — utilizing multiple methods for validating a claimed identity — is a well-accepted method for improving authentication over single-factor authentication, but this is often limited to a small handful of identifying characteristics. This limitation primarily lies in resistance from users of computing systems who resent the time required to present multiple credentials or the need to carry items on their person in order to authenticate. Some of the most effective systems utilize a combination of user provided credentials and data the computer system can collect on its own such as the location, device initiating the connection, and time and date, but still fall short of what can be utilized by a human in identification. Furthermore, these credentials can still be faked or fraudulently obtained.
Human interaction typically detects a change in identity or behavior naturally in the course of interaction, but computers validate identity once and then trust the identity has not changed between a user’s logon to a system and their logoff, also known as a session. This presents a problem for enterprise security since malware, shared sessions, or idle sessions that have not been locked, allow for misuse by others. The computer system cannot differentiate between activities taken by a coworker on another user’s computer or malware running in a user’s session and legitimate activities performed by the user. This risk is somewhat mitigated by automatically logging off idle sessions and by locking out computers at specific intervals, but this still leaves a lot of room for session compromise.
Some systems are beginning to revalidate credentials periodically to protect against a compromised session. The most basic systems simply revalidate at predefined intervals while more advanced systems utilize a variety of variables and complex algorithms to evaluate the level of assurance they have in the identity. For example, user interaction may be abnormal which could trigger reauthentication or the user could change location, or login in two locations simultaneously, also prompting reauthentication.
A variety of systems under the umbrella of Identity and Access Management (IAM) have been created to handle computer identity based on the scope and complexity of the need.
Mitigating human-based identity weaknesses
Humans are not as disciplined in validating identity and humans can become distracted. A pretty smile or a few friendly words will not be enough to get past a computer, but they work just fine and quite often with humans. Other techniques such as making oneself appear to be an authority figure, playing on emotions, or asking for help, exploit general human characteristics. I refrain from calling them weaknesses because they are vital to positive social interaction but they can present a threat when exploited by a malicious individual such as a social engineer.
Human weaknesses are the targets of social engineering, cyber persuasion schemes that entice users to divulge their credentials or perform actions on the social engineer’s behalf. This threat is reduced through security awareness training, documentation and enforcement of policies and procedures, and a culture of security.
The threats to identity compromise, both with computers and humans, have been the force behind many of the security controls in place today. Humans and computers handle identity very differently but both access and interface with organizational data and both are potential targets for identity compromise when they are protected independently. However, when humans and computers are integrated into a human-centric security strategy, their strengths and weaknesses can reinforce one another. When humans lack consistency, a computer assists and when computers have difficulty validating, humans add context and experience. As a result of this increased understanding of human-computer strengths and weaknesses, the security controls that comprise a human-centric strategy are easier and more intuitive for users. This results in fewer mistakes or security workarounds and it increases productivity by reducing security complexity. Simply put, humans and computers combined are a winning combination.
