Security Interoperability: A More Efficient Internet Design
Research Problem:
The Internet does not have a shared data architecture that allows for centralized management of personal information. Each Internet Site that is protected by encryption utilizing a profile and account management system is individualized and users create accounts manually, without an automatic profile copy option. Leveraging account management code or functionality from other major applications, tested and proven, such as Facebook and Google, or Id.me has somewhat streamlined the login process, centralized account management and credential use insights are limited and still presented in highly technical terms for users. These complexities and inconveniences present unnecessary security complications which most likely increase the risk of breach. Not only is it a highly duplicative manual process, but each site varies in its information requirements, yet promises the same level of security. The problems are in the architecture, lack of shared and centralized design, and individualized security protocols within each application without a security account management suite. Password management vaults and ‘remember me’ login features are available, but they do not solve the architecture problem; they are quick answers to complex and critical systems that require a shared data solution. Password managers are effective tools that provide convenience along with security, but they are not a cure-all against hackers (Security,org, 2021). Multiple user profiles exist, and the number grows each time a new application with security features is introduced or a new account is established, reaching an unmanageable number which leads to inconsistency, dysfunction, and conflicting information. There is no automatic fast way to update all accounts, or to perform emergency shutdowns, or to cross check information for validity. Each user is left to their own practices of managing information, and for some odd reason, the security industry thinks the everyday human is capable of understanding complex security management. Risk is transferred to the businesses and users, without a set of good common standards and practices. The major problem is that security breaches are made public, as are suggestions for protection of data, yet each individual has the freedom to manage however they want to. Instructions are often present, but lengthy and complex.
Background:
The security design is non-standardized with many recommended standards published by the National Institute of Standards and Technology. Some of the concepts, such as encryption, multi-factor authentication, and other security methods are complex, with no technical guidance for developers to refer to when deciding on how to best implement security for their applications. Authentication is one of the major security functions of online systems. It is believed that when an organization uses DevOps or DevSecOps, it utilizes a standard test model incorporating security throughout its process, but it is only presented in broad terms. Many laws govern the protection of personal data, as outlined in the Privacy Act, the Freedom of Information Act, and other Electronic Systems laws. The law is broadly written and does not govern or regulate security practices, other than to say information must be protected. Security is standardized across the Internet, with account creation and the use of Secure Socket Layers (SSL) Encryption for Internet Sites. Each is built individually, most likely with a common code for account creation and the protection of information while stored and in use. Security has advanced to offer multiple options for securing Internet data, but a problem has risen showing massive redundancy that is believed to increase risk.
Researchers from Stanford University and a top cybersecurity organization found that approximately 88 percent of all data breaches are caused by an employee mistake (Tessian, 2023). Interoperability enables the seamless sharing of information and the integration of security systems from different vendors. It is the key to achieving this integration, as interoperability allows organizations to create a holistic cybersecurity approach that adapts to their unique security architecture (CISOMag, 2023). Professionals continue to promote cyber-security awareness and training programs, and no one has brought up that it might be too much to expect an everyday user to manage a high number of accounts with different security requirements. The expectation that people are capable of managing their own, if given instructions only works to a certain extent and it might be proven that human error is the main cause of breaches and is higher than the number of hacked accounts.
Research Questions
Is the current system of individualized profile and personal account management the most efficient and secure solution available and has it reached a point of unmanageability leading to higher risk of breach or unprotected and mismanaged personal data? Will a shared leveraged account management system prove to be more effective in centralized information management? Why is this a matter of choice and not a matter of regulation if it affects the national economy?
The problem must be understood from four perspectives: The Security Product Provider, the Developer, Implementer, and the User. All involved parties must also understand the legal responsibility, rules, and ramifications. Technical challenges exist in separating the technology test cases of data to the analytical review and legal application. The use case is designed to prove data and privacy management efficiency using Leveraged Account Information (LIA). It is unknown if the use of Google’s Sign in With code feature is reliant or affected by low-quality security of the information site it is used on, or if security functionality and risk are transferred. “All of our products are guided by three important principles: With one of the world’s most advanced security infrastructures, our products are secure by default. We strictly uphold responsible data practices so every product we build is private by design. And we create easy-to-use privacy and security settings so you’re in control.” (Pichai, Google I/O 2021).
Project Management
Project Management processes and knowledge areas can be used in Security, for implementation and to provide a framework for the study of security products. Since Security is often a separate function performed by security experts, in addition to software development or coding, the tasks are managed under one project, perhaps with multiple project managers and dependencies. Security tasks can be managed using the project management system of initiating, scoping, scheduling, budgeting, monitoring, controlling, and executing. When studying security products, such as LIA or IUA, a project management approach can be taken. Current methods project management methods for executing or monitoring and controlling processes for a selected knowledge area (scope, time, cost, quality, human resources, communications, risk, stakeholder management, integration, or procurement) are possible when conducting a study on security products but is more suited for the implementation of security products, wherein the scope varies depending upon selection. The LIA security method in comparison to the IUA method can be effectively managed as part of a project but with a much smaller scope, timeframe, budget, and risk. This fact alone is a reason to recommend LIA over the IAU approach for improved management. Evaluating ethical, diverse demographic, and cultural perspectives appropriate for leading projects and programs to a successful outcome within the framework of the five process groups of initiation, planning, executing, monitoring, and controlling, and closing would require the study to include demographics of surveyed participants and or consideration of studying the use of a specific security product’s project management activities of the 5 process groups for comparison. This means the study would need to be done with data from a large population to compare cultural differences in the outcomes of one security product.
Security testing and risk management are important tasks that are managed using PM principles. A risk assessment explores how a component could be exploited by the identified threats (i.e., what could go wrong) and analyzes the possible responses to such attacks. The response options for a risk are to (a) mitigate (reduce probability of event, reduce impact, improve recovery), (b) transfer (insurance, contracted agreements), (c) ignore (for low impact and highly unlikely threats), or (d) avoid, which may require changes in requirements (Ellison, 2006). The differences in scope, security, and risk between LIA and IUA are tremendous, affecting all process groups and the project plan. Although still important to test, with a much shorter implementation timeframe, and limited responsibility for code creation and testing, the LIA method greatly reduces risk and the project scope. Seeing the power of automation, managing API has also been handed over to API management platforms or software. Using such platforms, businesses can trim down the efforts, time, and money invested in maintaining the product as well as its API (Wallarm, 2023).
A specific project management methodology such as Traditional, Agile, or other method might be used to manage the implementation of API products. It doesn’t matter which method is used, but it must be understood that LIA-API product implementation varies significantly from IUA development and implementation. It can be hypothesized and proven that one method works best for a specific security product, but the research study must stay in scope and only evaluate the use statistics and not development comparisons of LIA and IUA. The significance of API management for developers ensures robust security through authentication, authorization, and encryption measures (Hafeez, 2023), among other benefits. The implementation of an API is part of a software development project, managed using some project management method, but becomes are regular operational security management task that is ongoing. Management of security data takes place on the developer’s side and the user’s side. This study is mainly focused on user management of security data when using API products; specifically LIAs.
Strengths and Weaknesses of Project Management Research
Earlier research conducted regarding Project Management studies is of limited value but do provide some guidance on how to effectively organize the research study. Although no specific research studies regarding project management can be used to support the research questions or prove the hypothesis, they are useful in selecting a specific PM method to use for the research study. There are no specific Project Management studies that are correlated to security products or specific to DevSecOps that could be applied to the two security products selected for evaluation. According to Nidecki, “no matter what name you choose for your secure DevOps, the important thing is to realize that security should not be an isolated island in your development and deployment processes but an integral part of every activity in the software development lifecycle” (Acunetix, 2023).
Limitations of the Study
Testing to prove the hypothesis can only be done on a user level or a developer with a user account to test Leveraged Identity Authentication. The test can compare LIA and IUA methods and determine efficiency levels, as well as measurements for information management, but it cannot predict frequencies of forgotten passwords, breaches, or changes in risk using the existing framework because it is a new and different design. Since not all e-commerce or internet sites with a profile and account management system uses LIA, and the Internet is so vast, its only possible to create a test for one user. Once one users experience can be tested and evaluated, the test can be scaled across the internet to see how vast the problem is and how impossible it is to manage Internet Security from a global security perspective.
Choosing the right project management method for implementing a security product is essential. While the complexity of security is greatly reduced using LIA products, implementation and testing are still required, meaning it must be managed as part of the project. The DevOps and DevSecOps incorporates not only agile methods but also parts of the process groups defined in the PMBOK (Kramer & Wagner, 2019).
Problem Simplification
A security architecture of interconnectedness that leverages secure account management is vital, which requires a change to more than just a security policy, awareness, press releases or media, technical code, database management, threat-based monitoring, and developer choice. It is unknown if using Google’s security functionality by adding code or connecting through an API is dependent upon the internet site that the code runs on and to what extent. Re-clarification of the scope of security must also be explained and correctly applied to the correct management system. Rather than teaching users how to create secure accounts for each merchant or internet site, and using awareness as a user responsibility, a change to security processes from one side is required, with implementation across the Internet to change how Internet Sites (and possibly more) are created and managed. The fruit of the poisonous tree and virality must be considered, as well as a theory of Complexity. The result guarantees a benefit that can be seen as a change to the improper transfer and balance of risk and responsibility. Currently, security risks are spread out and by bringing them together, they can then begin to be understood and effectively managed, but first risk must be separated from trust, and roles and responsibilities must be well understood, standardized, and proof of improvement to even begin a system security evaluation from a two-part perspective.
Risk Management
Security awareness is an educational endeavor, and by doing this, security risk has been transferred to the users, with developers and site owners assuming people can and should manage device and application security on multiple levels, in multiple places, and with many different companies, processes, and details of promise or service. This has created a security problem that raises the question of whether there is a better architecture or some solution that could centralize and standardize security. Everyday users are not educated in the Risk Management Framework and efforts to train or educate small businesses on such practices is a nation-wide endeavor. The transfer of risk occurs, without effectively explaining the problem and protection measures to users and the metrics for ‘security’ and information management is not consolidated and reported, so there is no way to truly understand America’s Internet Security standings, risks, and problems.
There are two problems to solve: the data architecture and user management, which both have direct causal relations to economics, crime, and longevity. Because of the long list of benefits of a centralized system, it must be carefully examined before investment. If developers continue to create varied security solutions, then they cannot solve existing problems, so a stop-work process must be created and placed on all development resources across the world since it poses the greatest risk. If people and management don’t view it as a problem, then work continues as usual until the problem is formally presented and proven to cause or increase risk or reduce complexity and meet efficiency criteria for improved use.
Significance of the Study
The study is important to prove that while the Internet enables people to connect across the world and do business, socialize, and complete information tasks, it is not a shared architecture. Because it is not a shared architecture, information is duplicated, varied, and difficult to manage. Users do not have a technical solution for tracking their own activity, data storage, personal information and have a duplicative system for tracking accounts. This study not only shows problems in the architecture, but also shows much efforts towards training and education versus the creation of a centralized automated system for users. Users are expected to be responsible for the sharing of the data, and commerce responsible for the protection of data, yet the management process has become so duplicative and daunting, its obvious that the more data there is to manage in multiple places, the greater the odds are of breach or false information that goes unmanaged.
The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations (NIST, RMF, 2023).
There is a greater focus now on user experience, with much effort and attention on security. With an enterprise identity management system, rather than having separate credentials for each system, a user can employ a single digital identity to access all resources to which the user is entitled (Barton, et. al, 2019). Even though organizations implement and follow strong security standards and the ISO 27000 Series has 60 standards covering a broad spectrum of information security issues (Kirvan & Granamann, 2023), few engineers have concluded that the security architecture is not the best fit for advanced cyber-evolution and have only slowly taken on an integrated and centralized approach to security.
Research Method: Quantitative Research using data collection and statistical analysis to compare the average number of online accounts per user, number of leveraged accounts, and management time. It must also review a small sample of password reset frequency, along with a comparison of two security products. It will evaluate two variables comparatively and statistically: leveraged security and individual security profile management. More variables may be added.
Research Questions
Does the individual user account security system suffice for a single user and how does it compare to LIA methods in terms of security, time, management, use, and risk? What is more efficient and simplified: LIA or IUA? Is it of lower risk and benefit for a centralized account management system with a more organized and integrated authentication system? It is believed and can be proven that the more security options a user’s has and the more variation in process, the greater the chance of mismanagement. Forgetting information is not the only problem, but also the inability to centrally manage and effectively share or entrust data to others for management.
Data Collection
Data will be collected and analyzed to show differences between leveraged individual accounts (LIA) and individual user accounts (UIA); compared numerically, along with time statistics to measure efficiency. Process must be compared, as well as adherence to the Risk Management Framework, if risk assessed. Confidentiality is important and ensuring safe handling of information and protection of personal data. Specific informed consent will be explained in detail as to the extent of the survey and voluntary participation. Anonymity will be an option for survey participants and published results will not include personal information.
Definitions
Individual User Account: An individual user account is a single profile completed on an internet site or internet site application where a username and password are required, along with personal profile details. These are managed site by site. It is a similar, but not exactly the same standard login process for each site and requires users to ‘retype’ the same profile information, and allows variation in username, passwords, and personal information.
Leveraged User Account: A leveraged user account uses an existing account, such as Google, Facebook, or AppleId to manage its personal account information. It uses a management console that enables users to control access to other merchants or providers of Internet goods and services. It is a three or four-step login process with no typing required.
Risk Management Terms: Acceptance, Avoidance, Transfer, Mitigation. These are terms used in the Risk Management Framework for Security of Applications. Risk is considered accepted by the users when setting up a profile, and risk is considered transferred by the Technology community, along with information management responsibility. Risk increases when data mismanagement opportunities and inconsistency exist. Perceived risk is a non-proven risk of trusting only one company or application with personal privacy data management. Risk is considered mitigated by users who utilize a centralized password vault, paper process, or third-party application to manage multiple security profiles used in many places. Risk terms from a developer perspective is also transferred to the provider of security application code implementation using LIA and risk responsibility are uncommunicated mitigation actions completed by security product providers, and data users which encompasses more than a single person, including those who require, use, share, sell, and store the personal data. Risk responsibility is critical to clarify roles and actions required to change media alerts, and viral scare tactics, and to manage security efforts properly for more than just the consumer/user.
Quantitative Research
The number of personal online accounts, as well as a recording of time to access and change data, compared using two solutions: the LIA and IUA. Data management procedures must also be evaluated and compared. The comparisons are not just for the number of accounts and the time it takes to access and manage it, but also a scenario for a data change in comparison of both, along with important questions, such as how to best manage everything in one place, whether there is a technical solution or a paper process, or reliance on memory.
Rules, Policy, Regulations, Law
The Privacy Act of 1974 establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies (Privacy Act of 1974, 5 U.S.C. § 552a, 1974). The Freedom of Information Act applies only to federal agencies and not to records held by Congress, the courts, or state or local government agencies. Each state has its own public access laws (The Freedom of Information Act, 5 U.S.C. § 552). The Digital Millennium Copyright Act is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization, criminalizing the production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works (Digital Millennium Copyright Act, Pub. L. No. 105-304,1998).
The availability of information, from personal information to public information, is made all the easier today due to technological changes in computers, digitized networks, internet access, and the creation of new information products. The E-Government Act of 2002 recognized that these advances also have important ramifications for the protection of personal information contained in government records and systems (DOJ, 2019). Privacy Impact Assessments (PIAs) are required for Federal Agencies that develop or procure new information technology involving collection, maintenance, and dissemination of information in identifiable form or that makes substantial changes to an existing system (E-Government Act of 2002, Pub. L. No. 107-347, 2002). Local and state laws vary regarding rules of use of personal information; the state of Virginia prohibits the processing of sensitive data without obtaining consumer consent (Va. Code § 59.1-578). The processing of sensitive data also triggers the obligation to conduct and document a data protection assessment (Va. Code § 59.1-580). The state of California’s Consumer Protection law is much more specific in delineating consumer rights of personal information protection (CA DOJ, CCPA, 2023). The Virginia Consumer Data Protection Act (VCDPA) clearly defines whose personal data is covered, describing consumers as Virginia residents “acting only in an individual or household context.” It further clarifies that consumers are not those acting in a “commercial or employment context.” Unlike California, where the now-expired B2B and employee exclusions have been the subject of several statutory amendments, Virginia has chosen not to leave those potential compliance hurdles up in the air (Bloomberg Law, 2023).
If specific laws that govern the protection of personal information are state by state, then another problem exists in security protections, as are the procedures for remedy when the laws are violated. Therefore, the responsibility for the security of personal information must be clarified and added to the argument that a single provider of security products for consumer use is beneficial for more than just efficiency, but legal purposes.