Cost of breach vs. cost of deployment
In security terms, 2014 read like a who’s who of data breaches. Huge, global companies like Target, eBay and Coca-Cola have succumbed to data loss. Public services like the US Postal Service have also been left exposed. Others do not want to follow suit in 2015.
There’s no question that significant investment would have been made to support these companies’ security strategies, but all of them fell short in some way. And at what cost?
As revealed in the 2014 Cost of Data Breach Study: Global Analysis, the average cost to a company that had data lost or stolen was $3.5 million in US dollars – 15% more than the previous year. That’s not to mention the significant dent to consumer confidence.
The study found that, on average, $7 million is attributed to security strategy and mission at present (12 large global companies were surveyed). Yet, on average, respondents felt that $14 million would be a suitable investment.
Today’s organizations, both large and small, are faced with the challenging task of securing a seemingly borderless domain of company assets.
The Ponemon Institute found that, in most cases, the primary root cause of data breaches was found to be a malicious insider or criminal attack. Identity and Access Management (IAM) can play a critical role in protecting internal company assets from external attacks. With users connecting from smartphones, tablets, and desktop computers, it is important to permission access to data based not only on the user credentials, but also the credentials of the actual device being used to request access. For example, if a laptop was not purchased by the company and assigned to an employee in the finance group, it probably should be not be requesting access to customer billing information.
Security breaches are happening on a daily basis, with millions of usernames, passwords, and associated personally identifiable information being harvested. This information, while valuable in and of itself, is further used by threat actors to impersonate the affected individuals elsewhere, such as on shopping or banking sites. What are the preventive measures and controls that will make a company more resilient and effective in securing itself (and saving on clean-up costs)?
Users and organizations often still view their usernames and passwords with a false sense of security. Phishing schemes are becoming more elaborate and often more refined and targeted, with the compromised accounts allowing access to the network where additional identities can be gathered, and new accounts created. While company IT departments enforce password complexity rules and frequent change requirements, users can duplicate or re-use those same passwords on public sites where the security is often less stringent – thus providing another method of compromise. With the advent of cloud computing, processing power is readily available online to assist in brute force attacks to break passwords as well.
Compared to passwords, smart cards are far more capable of keeping unauthorized individuals from accessing a system or network. This is because a system that is protected by a password requires that the user holds both the physical smart card as well as the corresponding pin to access it. As a result, it is far more difficult for a thief to obtain both parts. This “two-factor authentication’ approach greatly reduces the credential theft seen with passwords, as only one copy of the card (and its contents exists), and only one individual can use their logon at a time. Multiple entry points will not work.
However, while smart cards enable greater functionality than passwords, they come with logistical challenges. For example, the roll-out of physical smart cards across an enterprise can be cumbersome, and security risks are still posed if one becomes lost or stolen. Traditionally, support costs can also be higher, and replacement cards are expensive (often more costly than what the original deployment itself, due to potential complications).
Borrowing from the smart card philosophy, the virtual smart card presents many of the same attributes while simultaneously reducing the operational challenges by leveraging the Trusted Platform Module (TPM). The TPM is an embedded security processor that provides tamper-proof security and crypto functions to the operating system and its applications. The TPM standard has been developed industry-wide by the Trusted Computing Group (TCG), and the chip itself is already on the vast majority of business-class devices within the enterprise.
The TPM provides functionality of RSA key generator and cryptography, HMAC (Hashed Message Authentication Code), Random Number Generator (RNG), Protected Flash, NVRAM and ROM memories, and modules (counters and supply voltage measurement) used for tamper detection. The three primary functions of a physical smart card (non-exportability, isolated cryptography, and anti-hammering) are all features supported by the chip, making the virtual smart card possible. While the core TPM hardware technology that enables strong authentication and use as a Virtual Smart Card (VSC) has been in existence for some time, the business focus around additionally strong authentication as an integral component of enhanced security architecture is relatively new.
One of the key dynamics that makes VSCs accessible to a much wider audience than physical smart cards is the elimination of upfront hardware costs as well as ongoing maintenance costs.
In a traditional smart card scenario, a company that wants to deploy the technology needs to purchase both smart cards and devices either with a built-in smart card reader or an external reader for all employees. Though relatively inexpensive options for smart cards can be found, those that ensure the key properties of smart card security (most notably non-exportability) are more expensive. TPM virtual smart cards, however, can be deployed with no additional material cost, as long as employees have computing devices with built-in TPMs; and these devices are extremely common in the market.
Additionally, the maintenance cost of VSCs is considerably lower. Estimates suggest they operate at a 45-60% lower total cost of ownership than USB token solutions. Whereas physical smart cards are easily lost, stolen, or broken from normal wear and tear, TPM VSCs are only lost or broken if the host machine is lost or broken, which is a much less frequent occurrence. Given these additional costs, the cost of deploying VSCs is typically less than 50% of the cost of a physical smart card approach while providing the security and strong authentication an enterprise organization requires. The savings available through deploying VSC are even greater when total cost of ownership over a period of three or five years is taken into account.
The rule of thumb is this: anywhere you can use a physical smart card in the context of an end-user computing device; you can use a VSC since it provides the same functions and uses the same smart card operating system driver.
VSCs provide equivalent security to proven physical smart card security schemes using certificates to implement strong two-factor authentication. By using the TPM, an organization starts with an embedded hardware-based root of trust that can be extended with further use cases. By having two identifying features (two-factor authentication), it’s much harder for a hacker to gain entry to the device, thereby protecting the user’s credentials and preventing unauthorized entry to corporate assets.
Criminals can still do a whole lot of damage with just customers’ name, address and date of birth. Inclusion of VSCs into a comprehensive security regime will significantly enhance organizational security posture at a fraction of the cost of other alternatives. Multi-factor authentication is a critical element to help thwart these ongoing breaches, and help save on the clean-up costs. It’s not about spending more, it’s about spending it smarter.