Light Dark
November 17, 2015 By Neil Warburton 3 min read
Endpoint
Identity & Access

Digital Trust in an Analog World

“Do you trust me?” That is the ultimate question we all ask when conducting any transaction in the physical world. What risk-based access decisions are people making in these scenarios? Can both parties, with a degree of certainty, expect that something will happen that they both agree to?

In the physical world, I am amazed by the amount of trust people have in each other. A few days ago, I was on a train, and a complete stranger asked me to look after his laptop and bag for a few minutes. You may have had a similar experience. Why would someone trust a complete stranger with valuable possessions?

The answer is context. The fact that we were on a moving train, with other passengers as witnesses, with 15 minutes to the next station, gave enough context for the stranger to trust me. I could have taken the laptop, but where could I go? Would my fellow passenger make the same decision to trust me on the station platform? The station concourse? The road outside the station? Probably not.

So what does this have to do with trust in a digital world or risk-based access? Historically, the context of a transaction between a computer and a user has been based on a set of implicit rules. The user has an account, therefore he or she is trusted. The user provided a password, therefore he or she is trusted. This is the context of the passengers on the moving train: There is a high expectation that the user can be trusted and there are physical constraints to removing data.

A New Environment for Trust

But the implicit trusts of days past no longer apply. In a world where the user can access services from multiple devices, from multiple locations and with varying degrees of trust about the device and location, we are more in the context of trusting your possessions to a stranger on the station concourse. Without context, any decision to grant access to valuable or sensitive data is a high-risk decision. By adding context, the risk of permitting access can be reduced.

For example, by knowing the user (who has provided a user ID and password), the device (it was registered and has stored an access token) and the state of the device (it is running an up-to-date OS and is not rooted or jailbroken), we can lower the risk of inadvertent disclosure to a minimum. By adding additional context, such as GPS coordinates, Wi-Fi SSID, time and authentication, trust can be increased and risk reduced even further.

Solutions allow developers and organizations to perform comprehensive assessments of the integrity of source code and the application’s behavior at runtime. IBM is also working on flexible and mobile-friendly authentication mechanisms to provide enough trust to reduce the risk without making the process of authentication so arduous that the user gives up.

The Context of Risk-Based Access

Going back to my example of who to trust, would I be as happy to look after a stranger’s bag on an airplane? At the departure gate? Just before going into security screening? It’s all about context.

In a similar vein, how would you assess the risk of opening an email attachment from someone you knew who had told you they were sending you something and had done so in the past? This is probably a low-risk action. But opening an attachment from someone you’ve never met, whom you don’t know and seems to be offering something for nothing may be as risky as taking a stranger’s bag through security at the airport. Don’t be surprised if the bag has unexpected contents.

Without trust in the digital world, the value of the business we can do will be relegated to static websites and brochure-ware. With enough trust, transactions can be made with the minimum of inconvenience to both parties. For example, low-value transactions can happen from a registered device. Higher-value transactions can be permitted if the user reduces the risk of impersonation by using a stronger method of authentication.

These risk-based access control decisions allow organizations to balance the risk of loss against the cost and complexity of the user journey. If the user journey is too expensive or complex, then the user may decide not to complete the transaction, resulting in lost sales. Or the cost of issuing hardware tokens or other means of strongly identifying the user can exceed the profit or value to the business. Enterprises must find the happy medium between these demands.

 |  |  |  |  | 
Neil Warburton
Security Architect, IBM

More from Endpoint
November 28, 2023

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature