For years and years, security folks (including myself) have pushed for stronger and more reliable means of identifying yourself to a system or application. Whether you care about security, or privacy, or both — the importance of authentication has been in the front of our collective conscious in Cybersecurity for at least a decade.
But recently, something interesting happened. Well, to be more direct — something globally disastrous happened. Covid-19 challenged us not to touch things that other people may have touched in order to prevent the transmission of a potentially lethal virus. Suddenly something as simple as a PIN pad on a payment terminal or ATM could prove a life-threatening move.
Let’s focus on the front lines of the war against this virus though — on the healthcare professionals in the hospitals and doctors offices and testing stations. These are the places where we still need sound security practice to keep information from leaking out or being stolen, much like before. Criminals aren’t suddenly going to stop being criminals just because the world is on fire, folks. The challenge now is, how does your security strategy and approach measure up against the requirement to be minimal-touch?
For those that have been pushing for multi-factor authentication (MFA) to force people in the healthcare space to be sent an SMS message, or carry an authentication token like an RSA key, in order to log into their device — it’s going to be tough. Those measures feel right but are they accomplishing the right measure? Security, when implemented in a business-goals-aligned manner, shouldn’t force your constituents to choose between security and personal/patient safety. Right?
So things like prox-cards (while I know they can be copied and are far from a perfect solution) are a very desirable solution because they use near-field communication and don’t require someone to physically touch the device more than they need to, or grab and touch a secondary device. Face unlock (thanks Apple, and now others) would have been huge except that the need to wear a face mask/shield torpedoed that idea for healthcare workers. I’m sure there are other solutions I’m not even aware of, since my expertise does not lie in authentication and identity management.
So here’s the thing — the truly effective security professionals I know and speak with have been thinking about use-case driven security a long time. This is the basic idea of asking the question “What is the most effective and minimally invasive way to accomplish the safety and security goals, while meeting the goals/requirements of the business?”
As you look at your security measures for dealing with the global pandemic right now, and then later think about your security strategy for the future — keep that question in mind because rest assured we will be at this point again. We will have a global catastrophe again… I pray that it isn’t in any near future …but it is naïve to think it won’t happen. Prepare your business, and ensure your security strategy aligns with the use-cases your business lives with both today and tomorrow.
Good luck out there.