Secure Key Management- An important risk carrier

Author : Arindam Bhattacharya

Password and key management are the 2 most important element of data security. As businesses have gained more reliance on data, the data stakeholders along with other application agents, both are slowly developing extended risks. While password weakness can impact the entire business services, weak key management can push towards major data breaches. As of now both are going by the standard technology and processes but there are unknown factors that may cause secure status to marginal. 

While data stakeholders are nothing but the business and application users, residents are the application agents (please read as module responsible for authentication and authorization) those are native or integrated with the application. These residents can bring unprecedented risks by the way they are developed or integrated. 

Keylogging can happen anywhere - especially in a software driven ecosystem  and it's becoming an open secret. As a user, one may develop "no trust" on any external apps because they don't know app design and architecture. This is one risk internal to the application and then there are external risk i.e., input methods, real threat actors etc. 
 
That means, the risk of leakage is not only due to Common password related threats but also that may happen effortlessly through embedded programs designed to capture inputs. The risk is from the devices (if external programs capture keynstrokes) as well as application (where it is stored and how it is stored) 

There is nothing more other than trust is driving this space.  Then, how far safe computing can achieve by not sharing passwords can also be  questionable. 

Passwordless solutions gaining momentum and soon password as a service is the need. End to end distrust in authentication and access need to be designed to cover both server and end points due to gaps that exists in allowing users to choose their passwords (whether one password at enterprise or multiple in public) and sending the next factor keys to the untrusted devices. 

This is important because as of now, public app/ sites including financial services are not serious on device security rather they are delivering the services based on the known standard but a lot of innovation required to onboard intelligent security for consumers. 
Virtual key boards may safeguard only against a physical key board but not against a virtual keybaord at device app. Second thing that is required- technical assurance by independent body for the provider app.

As on today, no external sites must appear as safe because what passwords and encryption keys are used can be broken and possibilities are that they can be - 
1. Un hashed at the backend (for example a decryption algorithms attached with the application may store decrypted passwords on a database table) 
2. Stolen through Embedded Key logging programs (for example a program attached to record key strokes)
3. Broken advance encryptions through intelligent AI programs.

Adversarial AI programs are getting capable to introduce a big risk to the traditional and modernized applications where both encryption and key management are at risk. End users as well as the end programs are going to be impacted by this. 

Only standard driven audits are not sufficient but as an auditor one would like to understand the logical explanation of the code base and integration along with an analysis on how the encryption libraries are exposed i.e., their accessibility/ visibility from both end-user systems (especially the developer and app support staff's systems) as well as other endpoints. Secondly, the API key management is also an important thing to look at.

How this risk can materialize? For example, a spyware dropped at the endpoint may execute AI programs remotely receiving / sending instruction and responses through Command and control sever which may further probe and intercept secure outbound connections/ key channels or even on encrypted data at rest. 

Comments

Post a Comment

Popular posts from this blog

BPRFPC: An abstracted Architectural model for an End to end view

Author: Arindam Bhattacharya Good and flexible architecture models are yet to exist while there are several good initiatives on developing some guiding principles to assist the community on Architectural best practices.  However, this article is yet another attempt to simplify the architeutal ingradients at very high level so exploring in depth could be possible with the acquired knowledge.  Architecture is a foundation for any technical know how's and a model is the engine of that foundation that orchestrates everything together. Below are the general components of the proposed model. 1. Business - Keeping business out, no architecture could be meaningful. Business is where the Strategies & Needs are defined and everything else needs to align with the Business. So, business is always the "WHO" context. 2. Product - The purpose of the Business is revenue through a Product. The product may constitute anything which is presented to the clients, even a service, or an app...
Read more

Can Security issues be reduced with DevSecOps

Author- Arindam Bhattacharya DevSecOps merely cannot improve security unless there is a cultural shift. Security incidents/ issues could have been come down long before if there was proper attention given to the security processes. When we talk about any processes it is driven by both manual and automated processes.  While automation works best when the processes are made straight forward and desired outcome is known in advance but if this is not the case, intervention of manual process is what all needed. All gaps, incompleteness of the processes.are.because of such manual dependencies. DevOps pipelines helps to achive automation across the development and operational lifecycle but when security needs to be embedded, this require the same pipeline extended to security lifecycle as well. There are some practicality that works against this idea as because not all security processes can be invoked automatically.  For example - post a development module is set to form production,...
Read more