This isn’t going to be a blog posting about me writing a blog post. No, I’m referring to metadata. I recently read an article on Digg about Apple’s new Maps app and the accumulation of metadata. The amount of stuff Google, Apple, Amazon, etc are collecting is huge. Read about this recent Apple patent on metadata and what sorts of things they are planning to use it for. (this is a must-read by the way)
If you’ve been following my rants…er…blog, you’ll remember a posting recently where I talked about metadata in a virtual environment. Well, for a change and because this is a short post, I’m not going to talk about virtualization..
Nope, I’m thinking of the metadata itself. More and more applications and devices are generating metadata. Location information, accelerometer data, usage patterns, etc…(see that Apple patent I mentioned earlier!) Lots of great data that I believe will eventually be consumed by security vendors. Many in the industry are investigating the use of metadata to provide multi-factors of authentication. But here’s my worry. How much of that data can you trust? Meaning, is the data valid? Was the device that generated the metadata compromised? Was the email and calendar server that we’re storing our work and home life compromised and some data changed (example: location data of a meeting last week)? If we are using metadata for factors of authentication, can we live with some of it being compromised or of questionable value? I say “Yes”. Read on…
My new security term – The Tidbit
I’m a foodie so let’s run with the “morsel of food” analogy, shall we? One morsel isn’t going to make a meal. But, like going to a tapas bar, when you order up a bunch of tasty morsels you’ve got yourself a meal. Let’s think of that in the context of security. Now, just one tidbit, in this case, your current GPS location, isn’t going to get you thru the VPN, but what about multiple tidbits? Will that be “good enough” to replace passwords for some folks? (probably. I’ve seen crazier things happen) Will that make a “secure” meal? Obviously, that’s a decision of for you to choose. I always like to say “apply the right level of security based on the sensitivity of the data”. For some things like accessing a corporate web page that only contains reference information then a couple of tidbits might be ok. But for VPN, because it’s far more intrusive into the corporate infrastructure, I might need two or more tidbits PLUS SecurID.
But what if the metadata is compromised?
Ok, now that we’re looking for that security meal that will allow me access to what I need to get to, we have to start to think of how it can be compromised. Like a meal, will one bad tasting tidbit kill me? Probably not. I’ll probably spit it out and push it off to the side of my plate.
Well, if I’m using all these cool geek tidbits like GPS, accelerometers, photos, meeting information, etc, I can then safely toss any that are suspect and maybe bring a new tidbit online to replace them. Or maybe, I’ll change from the server side what tidbits I’m looking for randomly, ensuring that I’m staying one step ahead of the bad guys. (Hey, that’s adaptive authentication!) After all, what I’m looking for is a sum of the parts, not the parts themselves. Just like a bunch of unclassified data, when put together, can produce classified data.
The point being here is that no longer will we have a one size fits all methodology to authentication. There are new methods for verifying people on the horizon. Mash that up with Big Data and you get a world where in order to confirm a transaction on your mobile phone the app (and back-end server) knows you’re in Lowe’s and tells you to go to Aisle 16 and scan the bar code of a specific product before it processes your transaction.
Feasible? Sure. Practical? Well, we’ll see, won’t we?