In many cases, banks would rather take the hit of the inevitable cyber crime than force their users to use 2FA. But use of hardware 2FA devices for online banking is not ubiquitous, and the reason for that is that users hate it. Here in the UK, online business banking and some online consumer banking relies on hardware card readers to validate that a transaction has been initiated by a valid user. The technical answer is two factor authentication: when we ask to carry out a sensitive transaction, we may have to confirm it using a second, more secure device. This is a problem that we all know well: how to protect the money in our bank accounts given that we carry out online banking from potentially insecure endpoints. So, if the user can initiate a large order, or a refund, or change a customer’s details – so can the attacker. In that case, anything the user can do, the attacker can too. If the user’s endpoint gets compromised, the attacker may have complete control over that endpoint.
In most cases that would be a big mistake. But from some of the conversations I’m having, it seems like quite a few people are confusing “raw Internet to the desktop” with “stop worrying about endpoint security”. As so often, we can probably trace a lot of this to Google with their 2014 “BeyondCorp” paper ( ) but the logic is pretty simple: if employees spend half their time working from home or on the road, plugged into the raw Internet, why do anything different in the office? Zero trust – up to a pointįor all but the very highest security environments, I’m a big supporter. But now it seems like mainstream, conservative enterprises are now seriously talking about a future model where they just provide raw Internet to the desktop.
But nearly 15 years on, the traditional perimeter soldiers on in most enterprises. The Jericho Forum was founded back in 2004 to address the issue of what they called “de-perimeterization” – the fact that with mobility and cloud services, the traditional physical network perimeter (as defined by a firewall) was no longer a very useful concept. Increasing numbers of organizations are starting to talk seriously about doing away with their enterprise networks.
0 kommentar(er)
