I lived in Japan for two years during the 70's and that was my first experience with ATM machines. I'd never seen them before that. Later, I had a chance to visit again in 1996 and found something strange. There were still plenty of ATM machines, but while they'd been used to extend service for US banks, they were largely still just automated tellers in Japan. The most telling hint: they only operated when the bank was open. You had to get money out of them during banking hours. I was reminded of this story listening to Tom Parenty's discussion with Doug Kaye on IT Conversations. Tom said "If you want to find opportunities in which information security can promote innovations, focus on removing limitations of time, locale, and scale." He goes on:
The specific approach I took is to look at how one's current security mechanisms are limiting a business' operations from those three perspectives of locality, time and scale, and see how if one were able to provide new and different security solutions to meet the trust objectives for a particular business transaction, how that would allow an organization to able to do things in a new way. And to give a specific example of the sort of thing that I'm talking about, I want to use an example, well, that actually goes back several decades, but it shows the relevant points, and that relates to the use of ATM cards as an alternative to banking within a branch. If you look at traditional banking operations, going into a bank in order to let's say withdraw money, deposit, transfer or something like that, security limitations or rather security concerns limit the location, scale, and time at which those operations can take place. If you look at alternate technologies to accomplish those trust objectives, then you can get rid of various limitations with respect to time, scale and location. And that is exactly what we saw with ATM machines. You now have the ATM and pin as means of authentication. You've encrypted lines between the ATM machine and the bank in terms of determining balances for being able to make the access-control decision should a person get money. There are records both in terms of receipt and electronic records for transactions and things like that. And so that's one very good example of how one can eliminate the restriction of time -- one can go to an ATM machine at any time -- you've eliminated many restrictions on scale because it costs far less money to built an ATM machine than it does a branch bank, and you've also eliminated similarly a lot of location restraints because again it's much easier to put an ATM machine up than it is to put a branch bank up.From IT Conversations: Tom Parenty - Digital Defense
Referenced Mon Mar 29 2004 15:45:04 GMT-0700
I believe that looking opportunities to remove limitations for time, locale, and scale is a good guiding principal for IT in general, not just security. One of my motivations for writing a book on digital identity is to show how a good digital identity strategy does just that.