Google’s plan for Data security

June 13th, 2013 by admin Leave a reply »

Gmail and Google Apps account hijacking has been the linchpin of a number of high-profile targeted attacks, starting with the Aurora attacks of 2009, right up until last week’s attack against the Twitter account belonging to the satirical Onion news site.

Granted we’re talking about two very different levels of severity between stealing data from the defense industrial base and sending out a few politically motivated hoax Tweets, but the thirst for legitimate credentials among state-sponsored hackers, cybercriminals and hacktivists won’t abate any time soon.

The chase, along with the general inadequacy of passwords, has forced Google for one to aggressively pursue a new direction for authentication into its online services. The company this week announced a new long-term plan for strong authentication, one that builds off a similar initiative in 2008 that led to the current implementations of two-factor authentication for Gmail and risk-based login challenges in order to determine if requests for access are indeed from the intended user.

Going forward, Google hopes to put strong authentication in place when endpoints such as laptops, tablets or Smartphones are first configured and have the device act as an authenticator. It also explained a number of other measures it would like to see implemented in the relatively near future. Clearly, smart phones have changed the dynamic of authentication for Google.

“With mobile devices like Android the usability is even further improved because you only login to the device once at the OS level and it works across all the apps on the device instead of having to go through a multi-step login flow for each application,” said Eric Sachs, a product manager with the Google security team. “However to improve the usability of this approach, one of our goals will be to have a consistent concept of identity between the OS, applications, and websites accessed from the browser on the device.”

Google has also thrown its support behind the Channeled open standard, which aims to secure the cookie on the device that certifies the user has signed in to a service.  The concept puts up a barrier for man in the browser attacks that attempt to sniff and steal cookies as they’re passed to the browser. This tighter connection between cookies and encryption keys as proposed in the standard and currently in place in the Chrome browser is another priority initiative for Google going forward.

“In essence, the browser self-provisions an anonymous public-private key pair for each web domain it needs to talk to via SSL. The web domain can use the consistent SSL public key Channel ID presented by the client device to tie into cookies that it issues to the client device,” Sachs said. “But once the cookies are ‘tied’ in this manner, they are no longer reusable bearer tokens.  The web server will only accept them as part of a connection that has been digitally signed with the same ChannelID.  ChannelID significantly reduces the risk associated with leaked reusable bearer tokens.”

Google said it also is re-thinking how to unlock devices so that pass codes are no longer necessary, and involve the use of fingerprint scanners, Near Field Communication between devices, or proximity readers. These same concepts could be applied, Google said, where the OS would intervene when a risky behavior appears in the browser and request the user to approve it via a fingerprint check, for example. Google acknowledges this could require changes to APIs and how the OS and browser communicate.

Google is doing its best against data breach and enhancement of data security.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Leave a Reply