Future of the PII — no hope in real Identity Protection
From 3A (Authentication, Authorization, Accountability) Security pillars, I share my thoughts about the first pillar — Authentication.
Authentication has gone long way from unencrypted password to sophisticated MFA (Multi Factor Authentication) systems. MFA in the modern interpretation means:
- Something You Know
- Something You Have
- Something You Are
Different systems explain these components different way (password, device, retina scan, as an example). But as the recent breaches are showing — it is not enough , and many vendors implement additional logic on Authentication process, based on AI, like Azure Identity Protection and many others. Systems inspect many additional factors like time of date, geo-location, anonymous IP address etc.
As you can see, tendency in Authentication is more and more leaning to get more information about person who accesses system, e.g., PII. Many countries, in addition, have more stricter rules accessing even Internet — for example, you need to register with Government ID to access Internet in public places, and phone or any other devices are strictly bound to particular person, providing additional Identification option.
And, yes, we came to the point — all Information Systems are slowly leaning to add Identification as part of Authentication. It may have different meaning in different countries — but, technically, this is something which is bound to person — phone number, IPv6 (in the future)- something else may come in the future like microchip etc.
The question is not about good or bad. The reality is — any system can be hacked. It is just matter of time and the resources invested.
While for the most of the people Anonymity in Internet technically does not exist — and it is just marketing move to up-sale VPN and security solutions — Anonymity in Internet still can be achieved, it just costs more, and those who can use it, can hack Information System, assuming right amount of resources are invested.
Is there a solution? I hope, I could say — Yes, buy this product and you are protected, or do this and that. But.., the reality is No, there is no solution, it is ongoing race. The worst - everyone knows it.
How it affects everyone? We are giving more and more PII to access Information System and most of those systems are actually not related to our job, but those are external systems like personal email,social networks, etc., literally, without any or very little warranty from Information System, that our information will not be exposed, and it comes to the point , that someone will have all information, and instead our information will be used to direct our opinion and sold to 3rd party.
There are many lawsuits going around, but I do not see and foresee any real change. Instead those lawsuits are tend to force Information System to work for particular group. All groups involved are interested only to control and own that information, not how to protect it.
How we can protect ourselves? Well, again, there are not much options, unless we go paranoia way, and it is still not full protection:
- Using second identity — (is not always an option).
- Cutting bank accounts, social network accounts, email accounts — (are not convenient).
- Installing VPN, firewalls etc — (is kind only very first level of protection).
- Using Spot Cloud Instances to publish posts and check emails — (not everyone is technically savvy to this level)
List can be continued to whatever level one thinks is ok.
Summary (Ultima Iudicium)
Protecting identity is becoming more expensive and more time consuming, to the point that person agrees to give up more PII, to get ephemeral sense of protection.