I am going to try to make this short since Treasure Hunters is about to come one, so here goes. I posted yesterday on my Computerworld blog about some stuff I wrote for a friend of mine on two-factor authentication. I checked back today to see if I had any comments, and I did (woo hoo for me). I read the comment, and here is part of what I got:
What is needed is “smart” content that works with multiple trust levels, that self-authenticates not only the content but the user as well. This is done using a modified token inside the content. It also creates an audit trail within a token receipts for archiving.
Content-centric security allows content to be securely transferred globally and outside the enterprise, without centralized authority. No, there is no standard but this approach solves most, if not all, of today’s issues concerning authentication.
OK, this really gripes me. First off, there is so much of this “we need this” and ”we need that” and it would be great if…” and ”this would solve so many problems” that I am going to puke. I am just tired of hearing it. Yea, there are a lot of things out there that need to be done, but since when does a “need to be” turn into something tangible overnight? Not to mention the fact that this guy sounded like he was trying to sell something and then didn’t even link to a website or anything.
I am not arguing whether this guy is right or wrong. I am not arguing whether or not the state on InfoSec needs to change (it does). Basically, I just want people to be realistic and deal with what is available today. I am not asking for status quo. I just want people to recognize that us guys and gals in the trenches need to use products that are on the market now. If we were supra-geniuses that could make up new technology to protect our network while sleeping, then we would do it. But we aren’t and we can’t (I guess I should speak for myself). We rely on those people who research this stuff to do that.Â
So friggin’ stop arguing with me every time I say multi-factor authentication is a good idea!  It is what we have today. Just because it can be compromised in some fashion does not mean I should take it out of my network. Once again, DEFENSE-IN-DEPTH!! It is another layer.
I am not against research and looking for something new. I just am tired of being preached at about how something is better when it ain’t even sold by anyone yet! Sheesh.
Vet
Mike, your are correct. I’m the one that wrote the CCS concept that Michael Farnum is attacking. He obvously has not work with the details of authentication. Knowing the problem well leads to newer tools that cn now be demonstrated. Multi-factor authentication is like increasing the size of the encryption keys while still using a weak algorithm. Smart, self-governing content is on its way and will be the paradigm shift in secuirty. I’m working on my 4th spinout company using this technology. We are focused on application specific solution for payments, certifications/validation of product life-cycle events, secure ID that can not be counterfeited like most smart cards can be, and in downloaded media (just know our approach is being evaluated by two media groups. “Reality vs. We need.”
This person is talking about persistent control. It is available today but for very limited use cases. Folks like Adobe, EMC Authentica, Stellent SealedMedia and Liquid Machines are trying to push this kind of architectural construct. The problem is the level of integration needed to make it work. The right place is in the database and/or content management system. But this is clearly a future…
And actually this doesn’t deal with authentication at all. You need a separate environment to manage identities and the access roles associated with those identities. This is just about protecting content.