The recent stand-off
between Kenya Airways and my very own Senator, Moses Wetangula, brought
to mind the questions of authentication, authorisation and access to
services.
What is the meaning and role of these terms within the framework of ICT security in particular, or physical security in general?
Authentication is defined as an activity which confirms that you are whom you claim to be.
In
most ICT systems, authentication relies on your password, Personal
Identification Number (PIN) and many other variations of these two
attributes
For
example, in online banking, having a password is not considered
sufficient, hence the need for what are known as secret or personal
questions.
After your password is validated, you are
expected to answer a personal question such as “What is your favourite
word in your mother tongue ?” Upon receiving the correct answer, the
system grants or denies access to the services sought.
However,
access once granted can still restricted to perhaps just reading the
bank statement rather than actually transferring money between accounts.
This is authorisation at work.
FORGETTING YOUR PIN
One
may have access to the account, but may not be authorised to execute
some services depending on previously agreed configurations with the
bank on how the account will operate.
All this is standard procedure expected to enhance the security of your financial assets while reducing the risk for fraud.
Remembering
your many passwords can be, and is indeed, the cost or inconvenience
that you have to live with it in order to protect our money.
So
what happens if you forget your banking password or your MPesa PIN? Do
you cause fracas and demand to access your money with neither the PIN
nor the password?
How will the bank be able to
attribute the transactions back to you, given that they were executed
without being authenticated nor authorised?
'EVERYBODY KNOWS WETANGULA’
This
is basically what Senator Moses Wetangula was asking Kenya Airways to
do. He demanded – and succeeded in accessing – a service without
authentication and authorisation.
If something untoward
had happened to that flight, Kenya Airways would not have been in a
position to authoritatively state that the person who boarded the plane
claiming to be Moses Wetangula was actually who he claimed to be.
Of
course there is the argument that “everyone” knows the very able Cord
principal, Minority Leader and Senator Moses Wetangula, and so he should
have been left alone to enjoy his flight without authentication.
Such thinking would present the biggest security hole in any system, including the very sensitive airport security system.
Imagine a terrorist, well familiar with such a procedure that allows public figures to fly without auditable identification.
A LOOK-ALIKE TERRORIST
Then
imagine this terrorist undergoing a makeup transformation to look and
act like one Moses Wetangula in order to exploit this weakness, and then
successfully boarding a Kenya Airways flight from Nairobi to Mombasa
without valid identification.
Imagine further that this
terrorist, having been exempted from the irritating authentication
mechanism, takes over the flight and directs it to land right inside one
of our leading tourist resorts.
Who would be blamed
for this turn of events? Would it it be Kenya Airways or the real,
Honourable Senator Moses Wetangula, who at time of the tragedy may
innocently have been transacting national business at the Senate?
We
must look beyond the individual and begin to appreciate that “systems”
and “procedures” maybe be inconveniencing, but are there to keep each of
us safe and sound.
ARE BIRTHDAY CARDS ID?
We need to see that exemptions to the rule are an opportunity to be exploited by fraudsters, criminals and terrorists.
But
others would insist that the Honourable Senator produced other forms of
identification. These included credit cards, National Assembly cards
amongst others.
However, unless these “other” forms of
identification had previously been documented by Kenya Airport Authority
as acceptable forms of identification, they remain null and void (not
acceptable) for the purposes of travel.
The nature and
form of valid identification remains the prerogative of the service
provider. Otherwise travellers may decide to come with all manner of
identification ranging from insurance cards to birthday cards, and
demand to fly.
JOHNNY CARSON’S CAR
Before
concluding, the following story may provide further insights. Many
years ago, when Johnny Carson was the US Ambassador to Kenya, I found
myself queuing for a visa interview at the American embassy.
His
car came along, and I noticed that it, with him inside, underwent
exactly the same security checks as the other cars before him, including
sniffer dogs all over his car.
He, however, sat
patiently in the car and did not look like he was getting irritated or
about to complain – despite the fact that he “owned” the Embassy.
It
took me years and some information security training to understand that
it was NOT about the Ambassador. It was about the security of the
Embassy, his staff and thousands of Kenyan customers waiting to be
served.
This is how we should all try and see it.
Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Twitter:@jwalu
No comments :
Post a Comment