On July 15 we lost a major contributor to modern-day IT security – Dr. Fernando Corbato, the inventor of the password. Back in the early 1950s, computers could only do single processing jobs. Due to this limitation, it meant that multiple users could use the same system, but in essence, share all content. This meant that each computer was tied to a single user.
Dr. Corbato recognized this limitation and developed an operating system called CTSS (Compatible Time-Sharing System). CTSS allowed users to share and save work without impact on other users and users wouldn’t see each other’s files. This is where the password came to be. When users logged in with their password, they had access to their work and only their work. It was a brilliant invention and shaped the world as we know it. Passwords are everywhere.
A solid foundation for security
As we all know, the concept of the password has been largely unchanged since that time. We still require a user name and password to get access to our “stuff,” whether that be at work, home, or abroad. We have talked at length about the death of the password, yet it remains as prevalent as ever. You may ask yourself, “well, why?” The password is ubiquitous, and that’s because it works, and everyone ‘gets’ it.
With a password you don’t need any other device or apparatus to get access, it’s simple. But in its simplicity, there is significant risk. That risk is due in large part to management issues both on the back end (IT) and with the end-user. The risk to organizations comes in the form of a breach.
With today’s focus on privacy and the requirements to manage data correctly (GDPR, CCPA, etc.) this means that if a breach occurs, it more than likely will impact the organization in more ways than one, such as fines, loss of customers, damage to brand equity, etc. But I’m not telling you anything you don’t likely already know.
Is it enough?
As organizations transform into a digital environment, they face pressure on multiple fronts, not only from a governance and compliance standpoint, but also from elements such as IoT and customer experience. And with that, we need to change.
We need to change because there is so much more to protect, and frankly, much more at stake. We need to do a better job at securing everything (user, device, thing, service, etc.). And so, just as Dr. Corbato enabled us to “share” computers, we need to move on from his invention while remembering where we came from. The username combined with the password allowed users to share core processes and data, but as organizations continue with their digital transformations, they need to consider how to build secure environments from the onset.
The risk to the modern organization continues to drastically increase. Security starts with authentication and authorization. That needs to be done right, or it’s a non-starter from a security and privacy perspective. It’s no secret we are quickly outgrowing the simple username and password. We are approaching a zero-trust authentication model where we need to employ new methods to grant the right access, to the right things at the right time, with the right experience, to reduce organizational exposure and risk.
We need start now.
Looking to the future
How do we celebrate what was, and look to what’s next? Single-sign on (SSO) and federation were a big step in user authentication, but how are we going to bring divergent and siloed infrastructures – that most organizations are built on – into a manageable secure infrastructure and ensure a tailored user experience and device-to-device engagements with the right balance of security? That’s the magic question.
We have many options available, but technology adoption that supports the different authentication methods isn’t wide spread. Every organization is different, and as a result, needs different authentication methods. Therefore, there isn’t a single option that is as pervasive as the password is and was.
As for me, I believe the smart device is the key. As they evolve, they will be the key to widespread access and authentication method adoption. Most people have at least one device they never leave home without and manufacturers continue to pack tech and privacy controls into these devices. I believe these hold the key to frictionless access and enhanced security. They are becoming universal, and in my opinion, the next step in the security evolution.
Thank you, Dr. Fernando Corbato, for an invention that changed the face of security and for building the foundation from which we can take the next step!