8 minute read
Cybersecurity, success within reach
G7 Executive Talk Series
Branded Story / Rivetz
Cybersecurity: Success Within Reach
As the G7 leaders gather to exchange
ideas, how to protect democracy and their citizens from cyber attacks will certainly be a hot topic. Governments around the world need to protect national secrets while safeguarding the personal data of their vast workforces. For instance, the U.S. Department of Defense has 3.2 million employees – making it the largest employer in the world.
When it comes to cybersecurity, there have been far more failures than successes to date.
The U.S. government fell victim to the largest data breach in the country’s history not so long ago. The Office of Personnel Management is, more or less, the human resources department for the federal government, as they oversee the legal details of hiring, promotions, benefits and pensions for millions. The data breach began with the attackers stealing the agency’s master list of credentials: usernames and passwords. They used these credentials to access the system and implant malware to steal
sensitive information.
The attack compromised data from background checks on current, former and prospective federal employees. Information included applicants’ personal finances, past substance abuse, psychiatric care and other troublesome personal details. In addition, 4.2 million past and present employees’ personnel files were put at risk, along with 5.6 million images of employees’ fingerprints. The attack raised deep concerns about government security, and inflicted irreparable damage to agency’s reputation.
Quite simply put, the present system of password security has failed. New, devicecentric solutions using the blockchain offer the greatest defense against increasingly sophisticated cyber attacks.
Perhaps the greatest vulnerability in the password-based system is the user, who often chooses weak passwords or re-uses them on multiple accounts. Probably the biggest reason is that we just don’t like passwords.
More than 80 percent of us would find it convenient if we never had to use passwords again, according to a Rivetz-commissioned survey of 1,000 U.S. adults. Even if we were better about our password creation and use, hackers still wouldn’t have too difficult a time overcoming that security layer.
Many security firms are experimenting with blockchain solutions, but Rivetz has a holistic approach that offers tremendous promise. The company combines the Trusted Execution Environment (TEE) already built into the hardware of billions of devices with the immutable record-keeping of blockchain technology to eliminate our reliance on usernames and passwords.
Blockchain is a distributed ledger technology that employs a network of peers and cryptographic algorithms to ensure the ledger cannot be altered. Each transaction in the ledger is signed with a private key that gives the signer governance over that transaction, for whatever purpose.
74 ❙ g20g7.com
RIVETZ TECHNOLOGY PROVIDES HARDWARE-LEVEL SECURITY BY FURNISHING DEVELOPERS WITH ACCESS TO THE TRUSTED EXECUTION ENVIRONMENT. THE TEE IS AN EMBEDDED, ISOLATED AND MEASURED COMPUTER ENVIRONMENT SEPARATE FROM THE OPERATING SYSTEM.
That purpose could be to transfer funds or record arbitrary data.
While the blockchain is immutable and censorship-resistant, the biggest challenge in decentralized cybersecurity remains that there is no way to prove any individual transaction was what the user intended. If an attacker steals your private key and conducts a transaction, there is no way to prove that the attacker – and not you – intended the transaction. At the present moment, we do not store evidence of whether a user intended and conducted the transaction that’s recorded on the blockchain. A transaction with proof of provenance or intent is much more valuable than one without such controls.
As we continue to improve the information stored on the blockchain, the value of that information increases. Rivetz dramatically increases the quality of that data by ensuring the information recorded was intended by the user – this is called attestation. Without attestation, the blockchain could become
a database of untrue information that could never be deleted.
Rivetz accomplishes attestation by ensuring a user’s devices are in a “known” condition by performing regular health checks and recording each device’s integrity on the blockchain, so future health checks can be compared against that baseline. This establishes that those devices have not been maliciously – or accidentally – altered.
A “known” condition means that the device hardware is in the same state as when it was last tested. Any factor out of place is a red flag indicating that an attacker may have compromised the device since its last recorded condition. The immutability of past health checks guarantees that Rivetz can detect if someone’s tampered with your device.
Rivetz technology provides hardware-level security by furnishing developers with access to the Trusted Execution Environment. The TEE is an embedded, isolated and measured computer environment separate from the
operating system. The problem is, most applications don’t take advantage of the TEE because it isn’t simple to access – developers don’t have the tools to utilize it, and also often lack the understanding of its value for providing security to users.
By provisioning digital transactions through the TEE, Rivetz assures the user’s private keys cannot be altered or stolen if malware were to infect the operating system. By keeping the keys in the hardware, they remain safe from malware or viruses that may affect the device’s software.
Attested transactions that are recorded on the blockchain provide governance and auditability. The TEE is what connects a human and their intents with the blockchain (and, for that matter, with the rest of the digital world). Conducting and attesting those transactions isn’t free, however. That’s where the Rivetz’s cybersecurity utility token, the RvT, comes in to provide the mechanism to leverage the resources in that ecosystem. ›
Charlevoix. Canada 2018 ❙ 75
G7 Executive Talk Series
Branded Story / Rivetz
INSTEAD OF HAVING TO TYPE IN A USERNAME AND PASSWORD INTO EACH APP, RIVETZ TECHNOLOGY WOULD ALLOW YOUR APP TO GENERATE A KEY AND ENCRYPTION WITHIN THE DEVICE THAT PAIRS YOU WITH THE WEB SERVICE.
› Together, the blockchain and the TEE make possible a streamlined approach to how our devices carry out transactions and connect to services via the Internet. The RvT was designed to do just that: create seamless and verifiable security controls for everything a device is instructed to do. The RvT is an
ERC20 token managed on the Ethereum blockchain and provides a new economic mechanism for delivering automated deviceto-device payment for the consumption of cybersecurity services and delivery of software and service licenses.
These tokens manage and compensate
internal and external cybersecurity controls enforced by the trusted execution capabilities of that device, providing a source of payment that is bound by the owner’s policy, assuring that only approved service providers are paid. The user sets the policy for how the token will execute your digital transactions – for example, the RvT token can ensure that you’re only accessing your bank account when you’re in certain geographic locations, or that your spouse needs to approve a withdrawal of more than $10,000.
The RvT token seamlessly adds a crucial layer of protection to digital transactions and authentication across devices, brokering the relationships between devices and cloud services.
This device-centric, blockchain-based cybersecurity model provides a safer and more seamless experience for mobile, IoT and the cloud. The present system is built with the mindset that we are a network of users with devices as an attribute. In reality, we are the opposite: we are a network of devices with users as an attribute. Our mobile phones are incredibly personal devices – they are practically extensions of ourselves.
According Rivetz’s study, more than 92 percent of respondents always bring their smartphones with them when they leave home, citing a need to have their smartphone with them at all times. Our devices are so personal that more than 90 percent of respondents believe it’s important to be
76 ❙ g20g7.com
able to prevent someone from accessing the content on their smartphone if it were lost. Almost everyone can relate that sense of panic when they think they’ve lost – or even forgotten – their smartphone. Our personal devices are essentially our digital identity, so we must build networks accordingly.
In a world where mobile devices are an extension of the user, a user’s collection of devices comprise their digital identity. The vast majority of people do not access their online information and services from devices they don’t own. In fact, more than 71 percent of those surveyed by Rivetz feel like their data isn’t secure if they sign in on from devices they don’t own.
People are so strongly connected to their smartphones that 64 percent of respondents were willing to allow a friend to borrow their car for 24 hours, but nearly the same number (60 percent) wouldn’t allow a friend to borrow their smartphone for the same length of time. The Rivetz device-centric model is structured so a user’s data can only be provisioned from their trusted devices. This model gives access to a user’s digital information and services from only their trusted devices, making it very difficult for nefarious parties to gain access.
Simplicity is the key to mass adoption of this new device-centric model. Placing the onus on users to remember passwords is a major security vulnerability. We know that users don’t want to have to remember or create username and passwords; this gives governments, organizations and developers alike an opportunity to provide a new paradigm of service quality.
Instead of having to type in a username and password into each app, Rivetz technology would allow your app to generate a key and encryption within the device that pairs you with the web service. All you have to do is log into your device, then the device wil know which services you belong to and grant you access – provided you’ve set a policy that allows you to use that service at that time. You won’t have to remember passwords for every service.
The ease of this device-centric system can be likened to the way a mobile phone “roams” from network to network. When you make a call on your mobile device, you’re not asked to enter a username and password. Let’s say you’re making call while on a road trip; your mobile device will connect to different networks or “roam” in order to continue your call – it doesn’t disconnect your call and ask
you to log in every time it has to switch networks. Roaming has made it possible for you to have a seamless relationship across calls. Similarly, Rivetz allows users to “roam” to different web services carried out from your devices, allowing us to seamlessly interact across services and create a more
frictionless experience for users. As cyber attacks increase in frequency, sophistication and ferocity, governments are exploring new paradigms to combat these threats. A viable solution may already exist within the billions of devices we already own combined with the blockchain’s transformative capabilities. ■
Charlevoix. Canada 2018 ❙ 77
FROM RISK TO TRUST
RIVETZ.COM