Last week I listened intently when a particular question was posed during the Q&A session of a web seminar discussing online fraud trends...
Q:"You [seminar hosts] are a token provider. Given that you're telling us how trojans are bypassing authentication, what are you now telling your customers to do??"
A:"We are all well aware and recognise the threats posed by trojans, and it really gets down to a layered security approach is always needed. There is no silver bullet, so what you need to look at when implementing a token strategy is whether this is your
sole strategy from a risk perspective your organisation is looking to count on, or are you looking to build additional complementary layers to help mitigate your risk, or possibly trade off with other forms of authentication. You should build out a layered
security approach."
So before you all moan about yet another reference to that infamous bullet with a silverish shiny colouring, and cry "if I had a dollar/euro/pound, for every time I heard that"
What I found of greater significance is the recognition?, validation? that "layered security" is the way to go which could lead to ultimately, but not necessarily a sole token authentication strategy.
Nearly 4000 Finextra readers have read my previous blog entry - HAPPY 30th BIRTHDAY MVC! - Here's the missing 'S' where I discussed....
Perhaps it's the absence of a much needed Security layer for the past 30 years that has resulted in some of the world's most recent online problems?? Surely it is now time for an evolution of this model to enable security and business logic, rules & policies
to be entered, enforced and managed all from a separate layer. Hence 18+month release cycles and inflexible change request queues hitting hard on business delivery capabilities.
Is this an industry recognition that we are using sledge hammers to crack nuts, and the sledge hammers are starting to look a little frail against the evolution of nuts? (so to speak!)
As they say, hindsight is a wonderful thing! or is that the silver bullet to which we all refer? If so, I'm off to the hindsight shop to buy some.
In summary, I agreed with the answer provided, and in the meantime I look forward to opening the doors to my brand new Layered Security Approach store.