Edge Computing is one of those terms that mean different things to different people.
Its genesis is in the Operational Technology world. Typically OT networks were isolated from the rest of the world because 1) they needed protecting and 2) had so much mission critical traffic and low latency data in transit. In order to manage the exfiltration of data it became fashionable to establish a computing device at-the-edge that would ensure only aggregated data left the network and only access to supervisory processes was supported.
A typical Industry 4.0 environment will have a myriad of systems on the network all controlling manufacturing processes with supervisory systems to allow staff to monitor the production environment and receive notification of events as they happen. An Edge Computer allows supervision to occur and the amount of data being communicated back to head office to be controlled. Management don’t need to know how many work-processes have been completed, they just want to know how many finished products have gone into inventory.
Vehicles are another case in point. There is an enormous amount of processing occurring in a car, from the critical control messaging advising various components of their status, to trip monitoring and recording. Real-time external communications is becoming increasingly important as road assets become more intelligent and provide better traffic management to appropriately equipped vehicles. An Edge Computing device can make sure that just the service record is made available to the workshop.
Then there’s the home environment. With increasingly sophisticated devices capable of being controlled remotely, everything from air conditioners and lights, to charging stations and grid feed-in controllers, the home environment is becoming an environment that must be protected and controlled; and an Edge Computing device, typically the Wi-Fi router can help.
There are two main reasons for using an Edge computer:
The provision of edge computing devices is a technology whose time has come.
But sharing of photos is a concern for Australians. We provide photos for the purpose of getting a driver licence, not for a central database to be used for other purposes to which we have not consented. This contravenes Australian privacy legislation.
Facial recognition simply needs a facial (visage) template that measures information such as the distance between the eyes, width and length of the nose, the mouth position and chin shape. This enables facial recognition but not image reconstruction. It’s also a lot less data to transmit and store. It is hoped that this is all that get's contributed to the DTA. It could be argued that since a template is a derivation of the photo it's not captured under privacy legislation.
So – it’s good that the federal government is finally moving ahead with an on-line authentication service, it’s just too bad it’s not a truly federated system, it requires service providers to be exposed via the MyGov environment and it’s hoped that the driver licence application process will soon close the "consent" objection to sharing visage objects.Many company privacy policy statements, a requirement under the legislation, are very poor and the number of breaches, with notification finally a legislated requirement, indicates that companies are not safeguarding the data they keep on us.
It’s also a shame that the Attorney Generals Department has not moved ahead with the Cross-Border Privacy Rules (CBPR). We need to plug-and-play in Asia yet we spend more time on Europe’s General Data Privacy Regulation (GDPR). Now GDPR is the gold-standard when it comes to privacy practices, but Asia consists of sovereign states that each set their own privacy regulation, nothing like Europe’s nation states that adhere to a common regulation. Again, AOIC’s role in CBPR needs funding.
So it’s a mixed report card for Australia; we’ve done some things right, we’re finally going to have an authentication system to access federal government services. It’s too bad that I must setup a MyGov account to do so, I can’t use my QGov account.
But that’s the reality we live with - political factions seem to trump logical decisions.
One of the latest topics to be selected for media-mania is facial recognition. Can we of sound mind and technical education please provide a balance to the self-serving journalists who seek to promote their names through social media hype?
There are three areas of confusion that have surfaced over the past six months:
There are no privacy issues surrounding facial recognition. There are, of course, concerns regarding the storage and sharing of facial images that persons allowing themselves to be photographed as part of a registration process should question. But facial recognition uses facial templates (sometimes called facial signatures) and does not require transmission or storage of facial images.
This item supposes that local councils are mapping our movements when we are caught on cameras in public spaces. The technology is not currently available to do this. It requires one-to-many matching and requires ICAO-grade images.
Whatever you think of Beijing’s initiative to promote social harmony it has nothing to do with facial recognition – that just happens to be one of the technologies they purport to use. The only issue is whether or not democratic countries want to go down that route.
It’s important that technically competent people help to quell fear-mongering and ensure a level-headed approach as new technology becomes mainstream.
In helping people understand the technology it is important to differentiate between the two main types of facial-recognition, they are vastly different:
1. One-to-one
This is the area in which most change is occurring and where we are benefitting the most from a better user-experience. There are multiple use-cases, for instance:
- SmartGate immigration stations. These are the automated devices used at border crossings that allow you, if you’re lucky, to enter a country without talking to a border-control officer. They work best in Europe where passports from a wide number of countries are accommodated. There are two steps to the process: you present your passport allowing the system to retrieve your facial template, and then a camera verifies that it is actually you travelling.
- Windows Hello. After registering your face with your PC, and creating your facial template, subsequent logins will turn on the infra-red camera to verify your facial image even in low light.
This type of facial recognition is the future of authentication. Most new smartphones have strong graphic-processing capabilities and are able to positively identify you to a high assurance level. Many governments and commercial organisations want a higher level of assurance than most PIN-based or push-authentication systems can provide so this type of facial recognition has a bright future.
2. One-to-many
This is usually the type of facial recognition that garners the most interest and criticism from members of the public. It is widely used in criminal investigations where a visual image of an alleged perpetrator can be compared with police files of stored facial templates in order to identify a suspected criminal.
This type of facial recognition takes time and processing power; it is not suitable for authentication purposes. It has been trialled in multiple airports, to attempt to identify people on watch lists or individuals with red flag indicators from leaving or entering into a country. These trials have had very limited success because of high false negative rates.
So what should the technical professionals be recommending to our clients?
No – passwords aren’t dead, but facial recognition is one more nail in the coffin.
Thx.
Graham
|
GDPR |
CBPR |
Program Characteristics |
Tight-coupling of European member states |
Loose-coupling of APEC member countries |
Legislative Framework |
Prescriptive, based on a single privacy legislation |
Guidance, accommodating multiple privacy laws |
Recourse for contravention |
Punitive, with significant penalties |
Negotiated, with local agreements for redress |
For the past 5 years cloud services have grown to be ubiquitous, secure and high-performance. Yet just yesterday I was talking to a friend who was lamenting the decision he had to make at work regarding deploying a Microsoft Project server on AWS or Azure. He needed to provide access to team members from two organisations and his company would not allow external people to access their on-premise project server. The cloud is the only way to go for such an application. But while that's so obvious there are some caveats that need to be observed.
It's important that my friend select a cloud service provider (CSP) appropriately. He needs to evaluate prospective suppliers from a operational risk viewpoint - can you get your files back when you part ways with the CSP, technical viewpoint - does the CSP provide adequate security and a legal point of view - are the licence terms suitable?
Then a decision needs to be made on the identity service to authenticate users to the site. Is an access control list going to be maintained on the CSP's site (bad), will there be a synchonisation to AD (not much better) or will the company establish an identity provider service in the Cloud? In this instance a cloud-based federation service to which the other company can interface would be a good idea.
The technolgy is here folks - let's just use it.
Thx.
Graham
Cloud - Strategic or Tactical?
Most companies do not plan their migration to the Cloud. Perhaps as a result of a question by upper management, they find-out one day that they have multiple users of cloud services in their organisation. While each application was a good idea at the time such a disparate approach means that there is no strategic vision, un-coordinated service provision, a significant training impost and little governance over Cloud-based applications and infrastructure.
Identity Management
One aspect of IT infrastructure that must be addressed when embracing Cloud services is identity and access management. It is important that an efficient mechanism be adopted to manage access to applications. It is all too common to provide single sign-on for on-premise applications and only same sign-on for Cloud applications. But this is an aggravation for users and is usually accompanied by poor password management and less than real-time identity provisioning.
Companies should analyse their identity and access management requirements and ensure Cloud applications adhere to them. In an Azure environment this means selecting the level of integration. For a basic configuration the DirSync tool will synchronise on-premise identities from AD to Azure AD (AAD) and password hashes can be stored in AAD for same sign-on. While this can be satisfactory for support of legacy applications to the Cloud it does not provide the session management that single sign-on requires. Microsoft’s solution is to install ADFS on-premises to provide federation services and automatically authenticate users with an active session to Cloud applications. Third party federation services should also be considered since they can be less resource intensive and more flexible.
For naked-Cloud users the issue becomes more of a concern because of the proliferation of applications and the lack of Azure AD. This means that identities are synchronised into multiple environments causing security and privacy concerns. Another option is to select a Cloud-based identity provider service (IDP) and require all cloud-based applications to use it. This means that Cloud applications must adhere to the SAML protocol and that the IDP must provide the required attributes. In terms of selecting the IDP this will normally be dependent upon the main provider of Cloud applications. If Okta is selected then centralising on this service might be indicated. If Salesforce is used, embracing their identity service should be considered. Another solution would be to establish your own IDP on a service such as PingFederate and require all applications to interface to it.
A note on AWS identity services: a typical recommendation is to adopt a VPN approach for hybrid scenarios. This means the Cloud environment will simply be an extension of the on-premise environment and an AD instance in the Cloud becomes part of the organisation’s AD forest. In this circumstance AWS can also offer the Microsoft Word applications in a standard format (not Office 365). This might be attractive for some organisations since it means that staff do not need to be trained on the use of Office 365. It also means that performance issues will need to be to be addressed due to the verbose nature of Windows applications. In some cases a virtual desktop integration (VDI) approach will be warranted. In some cases a dedicated “pipe” into the closest AWS data centre will be a better solution.
C U in the Cloud
Graham Willamson
Organisations are somewhere along the continuum from fully manual identity management to fully leveraged identity and access management.
The manual organisations have no interface between their HR systems and downstream applications. System administrative staff must enter user details into each system to which an employee requires access and there’s no reporting or governance capabilities. These companies are not only wasting time with data entry, creating errors that cause time wastage across the organisation they are also encouraging security problems with de-provisioning, removing entries when staff members leave, generally not occurring or not occurring in a timely fashion. Single Sign-on is only a dream.
In organisations at the other end of the spectrum an employee’s details are entered once, usually into the HR system or, better still, the recruitment systems, and then propagated to the SSO facility or account registration processes for relying applications. Staff have access to the application they need on the first day at the job and are automatically removed on the last day. Managers get regular reports on the access granted to their subordinates and management get governance report on provisioning activity, authorisation activity and any denied authorisation events. It is to these organisations that this blog is addressed.
Arguably the next big thing is Dynamic Authorisation Management (DAM). If you’ve got a good identity and access management environment you should leverage this infrastructure for fine-grained access control on a real-time basis. With a well-designed DAM environment a user accessing an application will have the request re-directed to a decision engine that will interrogate a policy store to determine if the user should get access and the level at which that access should be granted. The configuration looks like:
When the user attempts to access the protect resource the enforcement point, typically Java code or a .NET library sends a request to the Decision Point which retrieves attributes from the Information Point, typically directory, and runs through the policies that have been entered into the system to determine the user’s rights to access the resource in question.
The beauty of this is it happens in real-time so if a person has been removed from an access group they will immediately be refused access to the resource in question. The other big benefit is the application of a consistent set of policies, typically managed by the business units rather than system administrators.
Although there are many variants there are basically two configuration models that can be used to provide this fine-grained control. The discrete authorisation device is a stand-alone, policy-driven decision engine that services any controlled application or device on the network. The other model is the gateway device whereby an API gateway controlling communication between systems, applies the access control policies. Both configurations use a policy store and a repository of identity attributes. Some products require the policy attributes for users to be stored locally, some will access the organisation’s identity store in real-time. Some products are designed for business unit management of policies, others require a system administrator to manage policies.
Regardless of the solution selected, there is little doubt that dynamic authorisation management holds significant benefit for the advanced organisations that can leverage their identity management infrastructure to significantly tighten their access controls and data loss prevention environment.
Stay Safe - Graham