Skip navigation

Bio Vulns - crop.jpg

Authentication in the modern enterprise is becoming more difficult.  The risks are rising, but adding more security controls can impede workers and are difficult to integrate into legacy systems.  Biometrics may be a better path to improve security while not adversely impacting the user experience.  But there are risks.  Biometric systems are not without vulnerabilities themselves. 

 

ABI Research has recently published an infographic showing a comprehensive view of biometric system vulnerabilities as well as a whitepaper talking to the recommendations for enterprise environments.   

 

The traditional username/password method is entrenched in most businesses, but in desperate need of improvement.  A sole reliance on passwords to gain access to devices, networks, and data is proving to be weaker as attackers are getting better at undermining them.  Passwords can be hacked, social engineered, and are a major source of vulnerabilities.  Once compromised, they open a vast number of doors for attackers. 

 

Passwords alone simply are not good enough.  Users as well as system administrators find them difficult to manage.  Changing the status quo is difficult, as the majority of business processes are built to support passwords and workers typically adverse to new security practices. 

 

Biometrics have been in use for some time in limited ways.  Considerable advances have brought the technologies forward to meet some of the challenges to drive broader adoption.  This has created very complex ecosystems to satisfy a variety of demands.  But like any technical authentication system, there are potential vulnerabilities at every step.  The key to improved biometrics security may be to simplify the technology to lessen the number of vulnerable points of attack.  Cost, user experience, and risk aspects must be recognized and proactively addressed for any additional controls.

 

Reducing risk.

Multi-Factor Authentication (MFA) reduces the risk of compromise as it does not suffer from the reliance on just one method to grant access.  Attackers must compromise at least two different controls.  The downside is by adding additional factors, it can undermine the user experience to the point of affecting productivity and acceptability.  Having biometrics satisfy one of the factors in MFA, holds the potential of reducing the friction users must endure, while improving the overall security of the system.

 

User Experience. SSG_16_02_EvangelistProgram_CyberSecurityImages_Final_B.png

Automating the awareness of the user can make authentication a seamless experience.  We automatically carry our biometrics with us.  Nothing to forget, lose, or break.  Advanced technology can make the process even easier.  For example, the tracking of a user’s face while in front of their laptop can make the device aware when they walk away to get a cup of coffee and leave the system unattended.  The system can automatically lock the screen.  Conversely, when the logged-in user returns, the system can recognize the familiar face and automatically unlock the system.  Such an experience is beneficial to the user while keeping the device safer.

 

Managing Costs.

Nobody wants to spend money on identity security.  Yet, there are a plethora of peripherals and secondary devices which enterprises purchase, maintain, manage, and service.  Fingerprint scanners, hardware card readers, and digital USB keys are popular but incur additional costs and frustrate users who have to carry the gadgets and cables.  What if devices themselves had integrated and trusted components which could do the authentication work?  Specialized cameras, microphones, fingerprint scanners, and electronics to securely match the profiles locally on the machine may be the path forward.  Hardware which is optimized and secured, supplanting the need for users to deal with secondary peripherals, could lower the overall total cost of ownership for enterprises.

 

 

Is biometrics the answer?  Well, it is one answer which is growing in popularity with organizations seeking better security, employee productivity, and paths to reduce costs. 

 

 

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

5G security.jpg

5G holds the potential for massive immersion of technology into the lives of people and businesses. It is an evolution of technology which could allow bandwidth for 50 billion smart devices, driving towards a world where everything that computes will be connected.  Such transformative technology opens great opportunities, but comes with new unimaginable risks.  The scalability of improved speed, connections, and responsiveness will fuel unprecedented growth of data from more sensors and devices in our cities, homes, vehicles, and close to our bodies.  These will have access to our personal events, conditions, and provide new experiences of convenience, entertainment, and productivity; all of which, have amplified security, safety and privacy concerns. 

 

The fifth generation of networking represents an important technology enabling the next wave of computing devices to be connected for the benefit of users.  Upcoming 5G networks are designed to be vastly superior to our current 4G LTE mobile networks by increasing data speeds potentially 30 to even 100 times faster, shorten the latency for responsiveness, and perhaps most importantly scale to connect the billions of devices anticipated in the coming years.  Cars, smart clothing, ingestible health sensors, home appliances, drones, street signs, light posts, industrial equipment and many more in just about every field imaginable will connect and share data.  In many ways, it will bring computing to a more personal level.  The wearables, embedded sensors, smart vehicles, home automation, individualized healthcare and monitoring, and environment-aware entertainment devices will connect communities and enrich lives.  Devices will more easily and reliably share information, and work together to enhance our convenience, productivity, safety, health, and interpersonal connections with the people we care about. But such powerful tools can also be leveraged by those with malice or insensitivity. 

   

We must protect our technology, data, and privacy from those who intend or would do harm.  The value of 5G networks and devices must include aspects of security, trust, and privacy.  We will embrace technology that vastly improves the way we communicate and interact with the world, and at the same time act responsibly to support the establishment of protections for systems and people. 

 

As devices become more intelligent and capable, we trust them to complete physical-world assigned tasks.  In doing so, people relinquish a certain amount of control.  In most cases this is positive, could drive sweeping benefits, enhance productivity, and promote safety.  Having a smart car parallel park for me is much safer than my bumbling attempts to do the same.  I have never really mastered the task which results in delaying other traffic, higher stress levels, and eventually higher insurance rates due to the small dents I will likely cause.  So having a car respond to my request to park, measure the space and quickly maneuver the vehicle safely into the spot is nothing short of blissful magic for those like me who normally drive in endless circles waiting for an easier parking spot.  But to gain such benefit, I must understand that the vehicle is engineered in a way so it has the ability to sense immediate surroundings, accelerate, brake, and turn.  This is fine at a slow speed when I want to squeeze into an advantageous parking spot, but not so good for passenger safety if a malicious attacker takes control while traveling down the highway.  In the end, technology is a tool.  As 5G rapidly advances the connectivity and capabilities to open the possibilities of a better world, we cannot be ignorant or complacent when it comes to the risks and necessary security.

 

 

The biggest risks of 5G networks

Safety and Privacy, specifically for emerging IoT devices, represent the greatest risk. The Internet of Things will bring new levels of convenience, automation, awareness, entertainment, and productivity to people’s lives.  However, in the wrong hands, such connected smart devices we come to treasure, may be turned into tools to undermine our security, invade our privacy, and be misused to become a safety risk. 

 

Some would argue industrial controls hold the greatest risk.  But I would challenge such positions.  Industrial Control Systems (ICS) have long been in place in our power plants, water treatment, and chemical facilities.  Over time these systems gradually get connected to the internet, but in my opinion the introduction of 5G is not terribly important in this space from a risk perspective.  ICS operators have recognized the risks and realize they have been under attack for years.  To compensate, they have tried to limit the exposure of these systems and in many cases not upgraded connectivity capabilities on purpose.  Smart devices in ICS facilities could in theory be exploited, but it is more likely more sophistical control computers like servers and PC’s would be targeted. 

 

As 5G begins to roll-out, in the 2018 to 2020 timeframe, I think it will be the consumer devices which will hold the greatest risks.  I predict it will be the transportation, healthcare, and drone industries that will be the source of the most talked about abuses to security, privacy and safety.

 

Here are some examples where benefits accompany risks:

Scenario: Automobiles/Autonomous-Vehicles

Next generation automobiles and public transportation can use 5G networks to communicate with other vehicles and road sensors to avoid collisions, shorten travel times, and improve fuel economy.  But under the control of a malicious attacker, such vehicles may slow the flow of traffic or even worse, actually cause a serious accident. 

 

Scenario: Healthcare

Health monitors can enhance fitness, warn of impending medical conditions, summon help when the user is unable, assist doctors in fine tuning medications, and aid researchers in finding patterns across dispersed groups for improved treatments to some of the most severe chronic conditions.  But such power can also be abused.  Personal privacy can be undermined and tampering with data can cause an opposite effect with potentially serious consequences for patients under medical care.

 

Scenario: Drones

Drones are rapidly being adopted to extend the reach of a variety of services and capabilities.  They deliver medicines quickly over difficult terrain, assist with the detection and fighting of forest fires, explore hazardous environments, conduct military missions in dangerous zones, give artists new capabilities to capture expressive viewpoints, and may become the workhorse for the rapid package-delivery service of the future.  Conversely, they are a risk to passenger planes during takeoff and landing, they have impeded firefighting efforts, could be used as weapons of terror, be a hazard during social protests, support narcotics smuggling, and we have already seen how they can be a nuisance to privacy when watching people in what would normally be considered personal settings.

 

 

Securing 5G devices

Users, devices, software, networks, and back-end infrastructures must all play a role to improve the security of 5G devices.  The improved scalability of connectivity allows for a greater number of devices to communicate and results in the generation of much more data.  The devices, applications, and data form a chain which must be protected.  The problem is similar to the challenges we currently face with the Internet, just amplified to a much larger scale.  Emerging IoT devices represent a new challenge, as they are not as powerful and capable of defending themselves as PC’s, servers, and smartphones.  Most lack the power and speed to run sophisticated feature-rich security solutions.  So, more emphasis will need to be placed in other areas, such as hardware, networks, application validation, and back-end infrastructures to compensate.


 

Establishing trust as a foundation in 5G begins now

Cooperation among technology leaders to define robust standards which embed aspects for stronger security, improved privacy, and greater controls for life-safety related systems is imperative.  If security is not proactively addressed, the value proposition for IoT on 5G may be undermined by an erosion of the appeal and adoption by customers. 

 

Trust is hugely important.  Security must be designed into the 5G standards as part of the foundation, especially when considering its use in IoT connectivity.  Privacy aspects, to give end-users more oversight, default anonymity, and choice, must be included in product and software designs.  Systems which may represent a threat to the life-safety of people should possess elevated levels of security, administration, and control.  As consumers embrace technology, such as automated transportation and medical management systems, the level of trust must rise to compensate for the risks. 

 

The industry is at a point where security can be woven into the fabric, rather than suffer as a bolt-on afterthought.  Leaders in technology must work together now, to establish trust in the foundations and usages for 5G.  Consumers must do their part and be vocal in such expectations.  The demand for security is a critical driver for the delivery by suppliers who want to be competitive and service their customers.

 

 

How will top technology leaders play a role in supporting security, safety, and privacy?

Technology innovation and influence must occur in 3 areas to support 5G security, safety, and privacy. 

  1. Develop architectures and platforms to embed security and trust into the foundations of 5G connected devices and the back-end infrastructures which will handle the vast amounts of data from those devices.   
  2. Influence industry best practices and collaboration to establish robust frameworks and technology standards which implement strong security, safety, and privacy principles.  Intel’s automotive team is a great example where security recommendations and an industry consortium are driving the development of best practices.
  3. Deliver best-in-class security software solutions to protect from rapidly evolving threats on devices and in applications.  Software has the greatest flexibility to attune to new threats and the risk appetite of how devices are being used.  These solutions will be tailored to run within the potentially constrained computing environments for smaller or fixed-function devices as well as on the manageability infrastructure which provides oversight to groups of systems.

 

 

In the end, 5G is coming and it brings with it tremendous advancements to connect more and smaller devices to our electronic ecosystem.  This opens unforeseen opportunities as well as risks.  To reap the benefits and minimize the risks, technology leaders and security professionals must work in concert now to make the foundations and subsequent implementations of 5G networking safe, private, and secure. 

 

 

 

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.


VBiACU8KJu-5gDIvZ3U9LatdaReFVgMeTLXVlm7Pp4mtZPqqUDD0nbxY5eIozcoL_7wXGGGIBKFFYkDJcxRsd9qs3p8=s2048-1.png“When I grow up, I want to be a CIO”, said no child...ever! Fireman, policeman, doctor, just about anything...but not CIO! Me? I was going to be a rock star! From the moment I first heard the Beatles and the Stones in the fifth grade, all I ever wanted to do was play guitar (after a brief stint on the drums) and write music. My path fromRock ‘n Roll to CIO was indeed a long strange trip!


Looking back on an almost 35 year career in IT there were countless people, countless events, and countless decisions that led me to the office of CIO. It would take a book to mention them all. However, there a few that stand out as inflection points in my journey.


One of the biggest inflection points came in early 80’s when I went from playing a Les Paul to playing keyboard...a 3270 computer terminal keyboard to be precise. As the 70’s came to a close, I was finally coming to the realization that as a guitar player I basically sucked! That, combined with the fact that, although I had written hundreds of songs, not one song had ever been published or even performed for that matter.


I was working as a bill collector for the credit card division of a large bank when the planets aligned. I was given the opportunity to represent our department on the project team that was building a new computer system to run credit card operations. While I was “just” the user representative, I had the opportunity to work along some great developers. I was even given access to the reporting writing system and began to build some reports.


About this same time the Commodore 64 was released. I bought one and was hooked! From that moment on all I wanted to do was write software. I devoured every textbook I could find on coding, SDLC, database theory and design. Eventually, I was given the opportunity to move from being a user representative on the project to actually being a developer on the project. I can’t begin to thank my peers (Joan, Bob, Glenn, John, Lynda, Jane and countless others) on that team for their patience and mentoring as I developed from being a novice to writing damn good code! I couldn’t play guitar like Keith, George or Eric, but I soon learned I could make that mainframe jump, jive and wail! facebook_1456705517445.jpg


Fast forward about a decade and half. I was the lead developer for the order management system at Thomson Consumer Electronics. I had been there about five years as a contractor...a self-described long-haired hippie COBOL programmer...and I LOVED it! We had a team of about 5 programmers keeping the mainframe going and another 15 or 20 building a new warehouse management system using a “new” platform called “client-server”. My team and I were responsible for the mainframe side.


For a lot of reasons, the project was in trouble. It was years behind schedule and millions of dollars over budget. The company made a change and brought in a new manager, Dennis Cuffel, to run our teams. He was not new to the company, just new to us. The first move he made was to hire me off contract. Then it started. “You need to be a manager. You’d be good at it.” I always replied with the same thing. “Nope, don’t want to play the games”. I’ll give him credit. He was persistent.


A few months later, Carmen Hillenburg, the account manager for a national consulting company and I were having lunch. About five minutes into lunch she said, “You ought to be in management. You’d be good at it!” I just shook my head and asked, “Dennis put you up to this, didn’t he?” She denied it. (She has been denying it now for over 20 years, you see, we’ve been married now for almost 15 years, so I guess I have to believe her!). She was as persistent as he was. Months later, I finally agreed and became the application manager for the team when my boss was promoted.


It was now post Y2K. I had been promoted from application manager to director. At this point, I had a team of over 50 employees and dozens of contractors. The team was spread across four different continents. I think for about five years, I spent more time in airports and hotels than at home...Paris, Mumbai, LA, Brussels, Poland, I had enough stamps on my passport I had to get it replaced. I found that they were right...I was good at it...and, I LOVED it!


I am not sure when or how the idea of being a CIO crept into my head. I don’t recall thinking about it much. The company I worked for was huge, the CIO was in Paris. The highest position in North America was General Manager. That role was filled by my boss, Tom Kerby. I learned a lot about management and leadership from Tom. He was a good boss and an incredibly nice guy. However, I wanted more. Our company was downsizing. It seemed like our entire job revolved around budgets and more specifically, budget cuts. I was faced with a decision. I could either move to Paris as an ex-pat or move to Southern California. Spending a few years in Paris sounded very appealing, but after a couple years, you come home and everything and everyone would have changed. Then what? Southern Cal didn’t really appeal to me. Too crowded. So, I made the decision to look elsewhere.


I drafted and sent an email to about 20 people I knew throughout the area letting them know I was interested in making a move. Within minutes, I received a response from a former colleague who was now General Counsel for a real estate developer. He said I had to talk with them. They were looking to “upgrade” their IT department and I would be perfect to help do it. Within days I was interviewing. Several weeks later, I left my job of 14 years to become the VP of IT for Lauth Group, reporting to Ron West.


It was an intense few years on skyrocketing growth, both for the company and for me. Ron was into personal development. Ron was REALLY into personal development. I know I fought a lot of it, it was TOO intense. But looking back I can say it was those few years that turned me from just another “IT Guy” into a leader and into a CIO. One of the books he had me read was “Leadership and Self-Deception” by the Arbinger Institute. Basically, it helps you look at yourself without the guises of self-deception, full transparency. Your strengths AND your weaknesses.


There is an adage in business that you should look for ways to maximize your strengths and make your weaknesses irrelevant. Leaders are encouraged to surround themselves with people that have complementary skills to compensate for their weakness. I do believe in the second part, but I think making your weaknesses irrelevant isn’t done by focusing exclusively on your strengths. I believe you need to assess your weaknesses and identify those that can NOT be “outsourced”. There are somethings on your list that can NOT be done by someone else.


For me, one of those was public speaking. I HATED getting up in front of groups and talking. Heck, I hated talking in meetings. Why? Because, what happens when you speak up in a meeting? Everyone turns to look at you! I couldn’t stand it. I would stammer and stutter, I would freeze up. I couldn’t do it. However, I knew in order to achieve the things I wanted to achieve I would need to overcome that fear. I could not have someone else do all my speaking for me. It would never work. I spent years intentionally putting myself in situations that forced me to speak to groups, all sizes of groups. It was easy and it wasn’t fun, but today I can speak to a room full of hundreds of people. Now, instead of petrifying nervousness, it’s a rush of positive energy.


I spent 10 years of my career as CIO for two different organizations. How did I go from rock ‘n roll to CIO? Through a lot of supportive people, learning from some great leaders and from some not so great bosses (no one I have mentioned here would fit into the latter category), a lot of hard work and determination, and focus on lifelong learning and personal growth.



The series, “The Path to CIO”, explores the careers of CIOs from around the globe in a variety of industries. Each month we will feature the story of their journeys and answer the question, “How DID you become a CIO?” (If you have held the role of CIO and are interested in telling your story, please reach out to me via the links below!)


Jeffrey Ton is the Executive Vice President of Product and Service Development for Bluelock. He is responsible for driving the company’s product strategy and service vision and strategy. Jeff focuses on the evolving IT landscape and the changing needs of our customers, together with the Bluelock team, ensures our products and services meet our client's needs and drives value in their organizations now and in the future


Find him on LinkedIn.

Follow him on Twitter (@jtonindy)

Check out more of his posts on Intel's IT Peer Network

Read more from Jeff on Rivers of Thought

Also find him in People Development Magazine


Amplify Your Value.jpg

The Final Step on our journey to Amplify Our Value was also the most uneventful: we moved our entire production, test, and development environments to the cloud.


What?!!? You moved your entire data center to the cloud and it was uneventful?


Yep, uneventful. In fact, on the night of January 10, 2015, the night we moved 75 Servers, over 200 applications, several THOUSAND device addresses and 15 terabytes of data, I, the CIO, was home in bed sound asleep!


Now, before you accuse me of being derelict in my duties as CIO, let me explain the level of confidence I had in the execution of this final step. If you’ve been following along with this series of “Amplify Your Value” you know it had been a five year journey to get this far. Our team was hitting on all cylinders. Our Senior Architect, Jason Fisher, was (is) a rock star. He is one of those gifted individuals that can see the big picture AND all the minute details. I was confident he and Daniel Whitmyer, our Systems Admin, had it covered.


I was also confident in our partner in this endeavour. We had now been a client of Bluelock for a couple of years. I knew the level of talent they brought to the project as well. Each and everyone of them were the top in their areas. Confidence.


One of the essential steps we had taken along our path to Amplify Our Value also added to my confidence. In “Amplify Your Value: A Tale of Two Recoveries” I told the story of our move to Bluelock for disaster recovery. This not only made the decision to trust them with our production environment an easy one, but it made the transport of all of our applications and data “easy” (remember I WAS home asleep) as well. You see, they already had all of our data and applications in their Las Vegas Datacenter. Moving production was a matter of pointing the replication from one site to the other.


With all those moving parts, we only had two issues. One was with an outdated building automation system that had a hard-coded IP address, and the other was a typo on another IP address. Both of these issues were quickly identified and resolved.


The end result was that our headquarters truly was just another spoke on our hub and spoke topology network. The server room now only contains the switches and routers required to connect the employees there with their applications and the internet. Now a power outage like we had experienced the year before would be a non-event. Our stores could still sell merchandise, our schools could still teach our children and adult students, our nursing program could still help first time expectant mothers give birth to healthier babies, our manufacturing facility could still meet the needs of their customers and all of our other mission-based programs could still help our clients.


Confidence. That sounds so much better than “It was so uneventful it put me to sleep!”


This Final Step completed our journey to Amplify Our Value. I’ve written elsewhere about the tremendous accomplishments this team achieved, so I won’t repeat all of them here.But, here are just a few:

  • Opened 20 new retail stores
  • Developed and launched a loyalty card program with now over 500,000 customers
  • Added 500 new jobs to the Central Indiana area
  • Grew from one high school to 12 with over 3,500 students and 1,900 graduates
  • 26 new B2B customers
  • 150 former inmates served by our New Beginnings program
  • Over 800 babies born to first time mothers
  • Fully automated our online auction processing growing it to a $10 million business
  • Implemented BYOD for smart phones
  • Partnered with Netfor to provide a 24x7 Service desk
  • Dozens of new SaaS-delivered applications including: Workday, Domo, Facility Dude, Wealth Engine, Salesforce Marketing Cloud, and Director’s Desk.


The series, “Amplify Your Value” explores our five year plan to move from an ad hoc reactionary IT department to a Value-add revenue generating partner. #AmplifyYourValue


Author’s note: In the interest of full transparency. To paraphrase the old Remington Shaver commercial from the 70’s, “I like it so much, I joined the company”. In October of this year, I left Goodwill to join Bluelock as the EVP of Product and Service Development. My vision is to help other companies experience the impact Goodwill has felt through this partnership.


We could not have made this journey without the support of several partners, including, but not limited to: Bluelock, Level 3 (TWTelecom), Lifeline Data Centers, Netfor, and CDW. (mentions of partner companies should be considered my personal endorsement based on our experience and on our projects and should NOT be considered an endorsement by my former company or its affiliates).


Jeffrey Ton is the Executive Vice President of Product and Service Development for Bluelock. He is responsible for driving the company’s product strategy and service vision and strategy. Jeff focuses on the evolving IT landscape and the changing needs of our customers, together with the Bluelock team, ensures our products and services meet our client's needs and drives value in their organizations now and in the future


Find him on LinkedIn.

Follow him on Twitter (@jtonindy)

Check out more of his posts on Intel's IT Peer Network

Read more from Jeff on Rivers of Thought