Securing the Walled Garden
A few weeks ago, online tech news site The Verge reported a security hole with Apple’s password reset software. All you needed to reset an Apple Id, it said, was a valid email address and date of birth. In this day and age, with personal details proliferating across the Web, it’s not hard to imagine how to get hold of either.
The shame, perhaps, for Apple, is that the company was in the middle of implementing two-factor authentication for its mobile devices. To add insult to injury the registration process was three days, leaving anyone concerned about the security hole vulnerable to attack.
On the upside, the breach has now been closed – it is no longer so easy to hack an Apple Id. However the situation does paint a stark picture of the state of play today, which brings together a number of factors.
First, the context. Apple was pack leader in creating the conceptual ‘walled garden’ – that is, a technology environment within which everything was just supposed to work. Other players have been following suit, including Google and even Microsoft – notable in passing, given that if the latter had tried to pull off such a stunt just a handful of years ago, it would have been hauled through the courts.
The walled garden creates a virtual boundary around a set of devices, systems and both local and web-based applications. Its nature is to make things very simple for people working within it to do what they want to do. At the same time, however, it creates a security risk – that is, find the key to the garden, and you have access to everything within it.
The Apple Id is the golden key, with which the whole of a person’s Apple universe can be unlocked. The shocker at the heart Apple’s recent breach, given all the effort and focus in terms of ensuring the security of apps, operating systems and devices themselves, is that the whole lot could be left bare with merely a flaky password reset algorithm.
This isn’t a dig at Apple, but a good illustration of one half of challenge faced by both the company and its competitors. The other half comes from the fact that attempts to strengthen the walls of the walled garden only serve to increase its complexity, making it less usable and, therefore, less attractive.
This dilemma is illustrated by the two-factor authentication which was being implemented at the same time as the hole was identified. While it does reduce the security risk, two-factor authentication increases the effort a user has to make. For example, if a pin code is sent through to a mobile phone then the latter needs to be pre-authorised and, above all, present when the login attempt is made – which may not always be the case.
When this happens, people tend to look for ways of simplifying it themselves, such as writing passwords on a Post-It, or including them as an electronic note on a pad.
Without dwelling on the detail (for example, how Google offers the additional complication of a sheet of one-time keys in case a device is ‘forgotten’ by an application, which must be printed and stored in a memorable place), what’s clear is how the security challenge has moved from the device level to the ecosystem level.
This requires a change of thinking from IT decision makers and security professionals alike. Put simply, security isn’t ‘done’ when devices have been protected in themselves. Neither is it completely ‘done’ when an ecosystem is protected, given that the boundaries are eroding all the time – as the integration between Facebook and Apple’s OSX or Microsoft Metro illustrate.
Even as the walls of such walled gardens grow higher, we all need to pay attention to the cracks and the places where a seemingly tiny hole can lead to a major breach. Protecting the core is no longer enough: we all need to focus on the whole ecosystem, rather than its individual pieces.