Passport of the Future

11 August 2008 at 19:32 | Posted in Airport Security, Aviation Security, Electronic Identification, Ideas, IT Security, passport, Security | Leave a comment
Tags: , , ,

[Category: Ideas. If you are new to my blog please read the “About itimes3” page first]

Yesterday a friend of mine, who is prone to forgetting his passport as well as losing it from time to time due to forgetfulness, asked me: “George, what do you think is the future of passports?”. He was wondering whether there would ever be a better solution than having to remember carrying a small booklet around the world to prove his identity.

So I gave him my vision of the future of passports, which I believe will be more or less as follows:

First there will be a process of (further) standardisation, computerisation and globalisation. This may lead to the passport as a booklet being replaced, say in 10 to 20 years, by a smart card of some sort (probably a credit card sized plastic document with embedded RFID-type chip). The smart card will contain all relevant user data including travel history, biometric identification data, photo, etc.

All the technology is available, main problems are with global standardisation and systems integration (which can only happen as fast as politicians work, e.g. generally slow) as well as with security.

Once this stage has been reached, further convergence will be possible, towards everyone carrying only one card or similar item which contains the passport data, but which can be loaded with additional functionality such as driver license data, bank card data, health records, phone data, and random additional items such as gym access, security access to buildings, cars, etc. etc.

The main issue there once again will be security, but it will be possible to overcome this (although of course nothing is ever totally secure). The card data may be transferable to authorized devices such as cellphones (so the cellphone could be used as passport, etc.) or for the owner to create a read-only backup copy.

The next step after this will be embedding. The “converged passport” will be embedded into the body in the form of an implanted chip, much like more basic chips (usually based on RFID technology) are already implanted in animals and in some humans.

At this stage, more data will likely be added to the implant (for example it would be nice if we could carry our computer data within our body). Our body would communicate with various wireless networks as we walk down the street (for example receiving messages), access buildings, our bank accounts, enter new countries, enter our cars (which will only start with us or an authorized person at the wheel), etc.

As an added form of security, DNA sequencing should be fast enough at this stage to allow it to be used for authentication purposes (perhaps not sequencing someone’s entire DNA, but a few key points that are unique idetifiers, much like fingerprint scanning only scans for a few unique identifiers and does not deal with the entire fingerprint).

So I answered my friend that in the end, we will be our passports: all current passport data – and much more – will be carried within our bodies.

If you like this idea and you work in a type of industry where this is relevant, I would be happy to discuss in more detail, answer questions or assist in other ways. For details and contact information please see the “About itimes3” page.

George Spark

Disclaimer: Any trademarks mentioned herein are the property of their respective owners.
All usage of this site is entirely at users risk.

Advertisements

Cloud Computing Security

1 August 2008 at 13:40 | Posted in Cloud Computing, Data Centres, Ideas, IT Security, Online Backup Services, Security | Leave a comment
Tags: , , , , ,

[Category: Ideas. If you are new to my blog please read the “About itimes3” page first]

Cloud computing is the next big thing, or perhaps the current big thing. If you work in the IT industry like me, you’ve read about it and heard sales talk about it for several years now, and the pace is stepping up.

Yet what has been surprising me, particularly now that cloud computing appears to be taking off in earnest, is that there does not appear to be any formal, independent global body as yet that overseas the cloud computing industry.

There are no ISO certifications for cloud computing operators, there is no standardised security benchmark, no governing body, no way you can tell whether a service you may want to subscribe to is run in a secure data centre or on a stack of dusty, failing reconditioned PC’s in the corner of someone’s flood-prone garage.

For the past few years I have been doing my backups online, online backup being probably the most basic form of cloud computing. Problem is: each of the big operators in this market claims they have secure facilities, store your data in a way nobody can access it, use private keys for encryption, etc.

However there is no way I can know for sure that the data centres they use, and the systems they use, are truly secure and compliant with any standard – particularly because there is no standard. One thing is certain: there are vastly differing setups out there, yet everyone claims high levels of security.

Case in point is the use of “private keys”. Several operators claim to offer data security via the use of a private key, and that they cannot access the data because the private key is entered by the user and thus the user is the only one who knows the key and can encrypt and decrypt the data.

However this is not technically possible. Because all these backup services use versioning to track changes in the data and back up files incrementally, which very significantly saves on disk space.

In order to use versioning, the data needs to be decrypted to check the file content and how it changed, then back up the changes and re-encrypt the file. For this, the private key is required. Which means it is stored somewhere and accessed by the backup service on a practically non-stop basis whilst the backup is occurring.

Obviously this is all done in an automated way, no human being is sitting there manually decripting and re-encrypting these files. But it means that if someone at the backup service provider wanted access to your data, all they would need to do is load the private key, which they have to have access to, and decrypt any files they wanted.

And this is just one example. The same applies to any other cloud computing services available today. We do not know what is out there at the data centres. Our data is lost in the fog. A big brand name makes no difference (as recent big outages at one key provider show). What is needed is independent verification and compliance with standards.

So I say: it is time for either the industry or user interests to initiate the creation of an independent governing body, that issues certifications to cloud computing providers that comply with a published minimum security standard. And to verify compliance on a regular basis, through, for example, unannounced annual inspections.

If you like this idea and you work in a type of industry where this is relevant, I would be happy to discuss in more detail, answer questions or assist in other ways. For details and contact information please see the “About itimes3” page.

George Spark

Disclaimer: Any trademarks mentioned herein are the property of their respective owners.
All usage of this site is entirely at users risk.

Create a free website or blog at WordPress.com.
Entries and comments feeds.