Comment Neelie (Kroes)

Making speeches talk

Comment Neelie
[...] Attackers can just target the weakest link in the chain, and we need protections across that chain.
Trond Johannessen
This is true today, and may always be true in the big picture. However: let's use the example of systems authorization and look at the difference that Architecture makes when you go to implementation of biometric authentication of the user requesting physical or virtual access. Leaving Hollywood's macabre suggestions about how to create breaches aside, one way of architecting a system is for the users to leave a fingerprint on a physical reader operated at the relevant facility (building, store, parliament). This causes an immediate breach potential that may have grave consequences for any user, as the fingerprint is stored in systems controlled by third parties, and can be propagated to all connected points in the universe instantly by error or by intent. The rules-minded then introduces a rule that says the systems operator is only allowed to use the biometric image for its narrow purpose and not to store or re-use the image. All operators accept that in order to get into business. If you are an agency like No Such Agency, you do it anyway. If you are a Snowden or similar, you copy anyway, as a "nice to have" asset for your uncertain life in Cyberia or Siberia, depending on how long you remain useful to the powers that be. If you are the Madoff of the Information Society, you just take what you can get, whenever you have the opportunity. Instead, if you authenticate each transaction on a user controlled device, using a biometric image that never leaves the user device, nor can be copied from that device, you create biometric authentication that does not cause privacy issues and secure a three-level authentication that cannot be (easily)compromised. The solutions "sound" similar, but are miles apart in security, because of the way they are architected. All the coder mal-intent in the world cannot compromise the procedure, because of the Architecture. This was a small example, hopefully sufficient to suggest what needs to take place at the level of re-Architecting Cyberia. It is not the job of the coder, it is the work of an Information Society Architect.
Trond Johannessen, 12/11/2013 11:55