Digital Trust in an Analog World
“Do you trust me?” That is the ultimate question we all ask when conducting any transaction in the physical world. What risk-based access decisions are people making in these scenarios? Can both parties, with a degree of certainty, expect that something will happen that they both agree to?
In the physical world, I am amazed by the amount of trust people have in each other. A few days ago, I was on a train, and a complete stranger asked me to look after his laptop and bag for a few minutes. You may have had a similar experience. Why would someone trust a complete stranger with valuable possessions?
The answer is context. The fact that we were on a moving train, with other passengers as witnesses, with 15 minutes to the next station, gave enough context for the stranger to trust me. I could have taken the laptop, but where could I go? Would my fellow passenger make the same decision to trust me on the station platform? The station concourse? The road outside the station? Probably not.
So what does this have to do with trust in a digital world or risk-based access? Historically, the context of a transaction between a computer and a user has been based on a set of implicit rules. The user has an account, therefore he or she is trusted. The user provided a password, therefore he or she is trusted. This is the context of the passengers on the moving train: There is a high expectation that the user can be trusted and there are physical constraints to removing data.
A New Environment for Trust
But the implicit trusts of days past no longer apply. In a world where the user can access services from multiple devices, from multiple locations and with varying degrees of trust about the device and location, we are more in the context of trusting your possessions to a stranger on the station concourse. Without context, any decision to grant access to valuable or sensitive data is a high-risk decision. By adding context, the risk of permitting access can be reduced.
For example, by knowing the user (who has provided a user ID and password), the device (it was registered and has stored an access token) and the state of the device (it is running an up-to-date OS and is not rooted or jailbroken), we can lower the risk of inadvertent disclosure to a minimum. By adding additional context, such as GPS coordinates, Wi-Fi SSID, time and authentication, trust can be increased and risk reduced even further.
Solutions such as IBM’s AppScan technologies allow developers and organizations to perform comprehensive assessments of the integrity of source code and the application’s behavior at runtime. IBM is also working on flexible and mobile-friendly authentication mechanisms to provide enough trust to reduce the risk without making the process of authentication so arduous that the user gives up.
The Context of Risk-Based Access
Going back to my example of who to trust, would I be as happy to look after a stranger’s bag on an airplane? At the departure gate? Just before going into security screening? It’s all about context.
In a similar vein, how would you assess the risk of opening an email attachment from someone you knew who had told you they were sending you something and had done so in the past? This is probably a low-risk action. But opening an attachment from someone you’ve never met, whom you don’t know and seems to be offering something for nothing may be as risky as taking a stranger’s bag through security at the airport. Don’t be surprised if the bag has unexpected contents.
Without trust in the digital world, the value of the business we can do will be relegated to static websites and brochure-ware. With enough trust, transactions can be made with the minimum of inconvenience to both parties. For example, low-value transactions can happen from a registered device. Higher-value transactions can be permitted if the user reduces the risk of impersonation by using a stronger method of authentication.
These risk-based access control decisions allow organizations to balance the risk of loss against the cost and complexity of the user journey. If the user journey is too expensive or complex, then the user may decide not to complete the transaction, resulting in lost sales. Or the cost of issuing hardware tokens or other means of strongly identifying the user can exceed the profit or value to the business. Enterprises must find the happy medium between these demands.