Strides in New IP technologies, coupled with biometrics and authentication, could eventually lead to the demise of the password -- one of the weakest forms of protection against data loss or theft.
Indeed, hackers tapped authentic user credentials in most data breaches, in 63% of cases relying on weak, stolen or unchanged default passwords to, finds the 2016 Verizon Data Breach Investigations Report (DBIR), released last month. (See: Verizon: Bad Guys Still Phishing for Data.)
Service providers are making strides in other technologies. SDN and NFV deliver new security capabilities, Rita Marty, executive director in AT&T's Chief Security Office, told the New IP on a recent Tune in Tuesday radio show. (Listen: AT&T: Securing the New IP Network.)
Interested in learning more about how AT&T is using SDN, NFV, authentication, biometrics and other tools to protect both itself and its customers, I talked with David Hulsey, assistant vice president of technology security in AT&T's Chief Security Office.
Moving Beyond Passwords
New IP technologies plus biometrics and authentication will improve security, says David Hulsey.
Alison Diana: How can telecommunication service providers incorporate authentication and other security measures into their networks?
David Hulsey: Security and in particular authentication technologies are an essential aspect of a telecommunication service provider. As more and more devices are getting connected as part of the Internet of Things (IoT), we are evolving our security infrastructure by developing stronger authentication capabilities and making the process effortless and more secure.
Stronger authentication approaches authenticate users with their mobile devices or through emerging technologies like biometrics. However, there is no silver bullet to solve authentication issues so telecommunication providers must constantly evolve their protections to meet the ever-changing security landscape.
At AT&T, we can utilize our abilities as a leading carrier and ISP to detect threats and dynamically adapt who can access what and prevent possible attacks. We've developed proprietary technology, integrated in our Halo Platform that simplifies the process for the user and provides better protection throughout the authentication process.
AD: What benefits do SDN and NFV bring, security-wise?
DH: Moving to SDN allows us to maximize responsiveness, efficiency and provide additional layers of security. In virtualizing our security functions across the network, we are able to update security automatically, instead of relying on manual updates and rapidly security measures in an attack to help limit its impact.
SDN also allows us to expand the network to handle additional traffic during an attack. For example, we can boost network capacity during a Distributed Denial of Service (DDoS) attack to help keep things running without disturbing operations.
Our network is protected through virtualized defenses that allow us to de-couple hardware and software components of network security devices to provide security software as a service, built within a distributed [cloud] environment, integrated within the cloud provisioning process and extend security to the application layer to deploy micro-perimeters within the cloud.
AD: From a user perspective, what is the biggest hurdle to security -- and how are things like biometrics improving end-user security for mobile devices?
DH: Currently, every device, application and tool requires unique usernames, passcodes and passwords. This means that users are constantly trying to think of passwords and passcodes that are highly secure, with unique characters and numbers that cannot easily be guessed, but can also be easily remembered. This time and energy poses a challenge, and often leads to time spent recovering forgotten usernames and passwords.
Further, these authentication tools are often not optimized for mobile use, despite the fact that users often shift between mobile devices and computers. Biometrics helps eliminate these concerns. Using one's fingerprint requires no time and energy, it's extremely challenging to duplicate and it remains constant across mobile devices.
AD: How do you also address people with disabilities, industries where users wear gloves so fingerprint authentication is tough and other scenarios?
DH: Biometrics is not the only advanced tool for authentication. Today's technologies can authenticate users based on their location, the device they are using, or the network they are on. While biometrics is one advancement, there are many other tools that help simplify the authentication process. This helps businesses sense and adapt to the latest security issues.
Companies can select the process that's right for them, but there are now many emerging solutions that move away from the complicated password and passcode process.
AD: What are some of the advances AT&T is making in the area of security?
DH: Security is part of AT&T's heritage and DNA as part of operating a network and protecting the massive volumes of data that cross it. As a result of our leadership in the transition to software-defined networking, we've become a leader in virtualized security functions. These functions help us provide more flexible, agile and customizable security solutions for our network and our customers. We're architecting our network with security in mind as we move to 5G, and making great advances in cloud security.
From an authentication standpoint, we've developed the AT&T Halo platform, which combines our proprietary technology that can authenticate users with biometrics, location or device information and the threat visibility our network provides to help protect users. It's mobile-friendly, more secure and effortless for the user.
AD: Is it harder to secure internal data or customer data?
DH: Securing internal and customer data both come with significant challenges. Every company faces different risks. For example, consumer-facing companies that take in payment information such as credit card data are very different than companies that have proprietary software that might be of value. While both companies have valuable information, they are targets of different kinds of attacks from different kinds of attackers.
That said, it is essential to understand what information your company has, and why it might be valuable to an attacker. Based on that knowledge, a company can better prepare for the kind of attacks most likely to target that kind of information, be it potential confidentiality breaches or a destructive malware attacks intended to disrupt operations. This will allow companies to make intelligent business decisions around security.
AD: Where do you think we'll see the next major advances in security?
DH: With so many things requiring multi-factor authentication, we can see moving away from constant passwords, since so many people use bad passwords that are easy to replicate, because that's what they can easily remember. That being said, authentication processes certainly will not change overnight.
I think one-time passwords will grow in popularity to prevent this problem. I'd also see a growth in biometrics, as well as authentication via location or via the device a user is on. These are more complicated to replicate, and so they enhance security.
— Alison Diana, Editor, The New IP. Follow her on Twitter @alisoncdiana or @The_New_IP.