Trust and Assurance Update

Stephen DeAngelis

March 16, 2006

Dave Chesebrough, President of The Association for Enterprise Integration (AFEI) writes at The Net-Centric Dialog about the persistent and growing challenge of identity verification:

When we began doing business on the Internet, so did criminals, spies and terrorists.  According to the FTC there were more than 685,000 complaints of fraud and identity theft, and $680 million stolen in 2005…  [The September 11 attacks] heightened our awareness of identity issues within our institutions.  The question that up till now was taken for granted, “are you who you say you are,” took on an intensity we had not anticipated.

Meanwhile, across the Atlantic, Simon Moores of Zentelligence discusses the upcoming e-crime conference:

…leaders of the global law-enforcement finance and online business community will assemble in London… In the twelve months since they were here last, we’ve seen the financial services industry under almost constant Trojan horse attack, Denial of Service (DOS) attacks grow by 50% and phishing and identity theft attempts, according to security software company Symantec, approach eight million a day…

For the first time in its history, the e-crime congress will have Yahoo, Amazon, eBay and Skype sharing the floor, with the likes of Al Raji, the largest Islamic bank in the Middle East, the FBI, Professor Ian Angell from the London School Economics and senior police officers from South Korea and the People’s Republic of China. A gathering which illustrates the global nature of a struggle to prevent serious and organised crime dominating the internet in much the same way as pirates threatened the ocean trade routes of the 17th century.

The evidence to date strongly suggests that fighting e-crime remains low on the list of international government priorities…

In the UK, industry appears to be spending over 15% its security budgets (and over 50% in some sectors such as Financial Services) to hold down the cost of e-crime to itself and its customers, while the Police are spending 0.01% of theirs…

One growing trend observed since the last e-crime congress is the number of attempts to steal personal information from very large databases. Most recently we’ve seen large international banks and credit card companies own-up to loss of tens of thousands of personal card and identity records…

The delegates assembling for the e-crime congress in London this month will hope to hear of new strategies and solutions that can defeat the threat and growing cost…

The urgency of the problem can’t be overstated — or repeated too often.  But there are hopeful signs.  One is the growth of public-private collaboration — as evidenced by the participants in the London conference.  Thanks to that collaboration, strategies and solutions are in fact on the way.  Among them are resilient, automated, standards-based, rules-based identity verification and security systems.  An advantage of such systems is that they connect previously siloed data and organizations — for example, alerting both internal security officers and law enforcement when an attempt is made to breach security.  Another is that they are capable of reacting to such attempts automatically — by invoking pre-configured rule sets that put safeguards in place, and spoof the attack to the attacker while tracing it to establish its point of origin.  Rules automation provides for cost-effectiveness — and for extreme flexibility.  In a resilient, secure information-sharing system, it is possible to establish different levels of trust for different nodes, allowing customized information sharing.

 

Government agencies have expressed strong interest in such systems.  The automation of trust and assurance will provide for more effective information sharing among intelligence agencies, or among the platforms in a networked battlespace.  But the same systems will be the basis for more effective — and cost-effective — private-sector security solutions as well.  Note to Mr. Moores — help is indeed on the way.