Who goes there?
If you have a hammer, every problem looks like a nail. Talk to an anti-virus vendor and they'll probably tell you that malware is the biggest challenge of our time. Chat to someone in the banking and financial services space and they'll lament about phishing. For Dragan Petkovic, security product leader for ECEMEA at Oracle, identity management is just one element of an increasingly complex security landscape that must be tightly integrated with other functions. Identity management should not be just another silo; it should work in unison with other security solutions, he points out.
Identity management has become the final frontier for security, especially as crime threatens both physical and digital security, and the number of access points, systems and applications needing to be secured increases, notes Marius Coetzee, CEO of Ideco. Identity is the basis of almost all security, adds Maeson Maherry, chief solutions officer, LAWtrust, a division of Etion. It is an important foundational element for accountability in business, as well as privacy. And there's no denying that identity is becoming more complicated. Previously related only to humans, identity has now expanded to include entities, devices and machines. This poses a number of challenges that businesses have to address, in that you now need to identify every machine and device - from physical, to virtual and containerised - so that only authorised machines securely work on your network, Maherry continues.
According to research from Forrester, digital businesses need to develop a 'modern' identity strategy, one that is geared towards handling modern risks. Gone are the days when a home-grown, manual approach to identity management and access control would suffice. Outdated access control strategies make it impossible to authenticate customers without affecting their experience, and fail to support employees' demands for access to an increasing range of apps and data. In addition, they inadequately facilitate the rapid adoption of cloud-based services and fail to provide secure, regulation-compliant and cost-effective integration and data exchange across multiple users.
In order to embrace a more modern digital identity strategy, Forrester advises that organisations develop a uniform approach to different access channels, populations and hosting models.
The reality is that passwords are cheap, simple and efficient and this is why they refuse to die.Dragan Petkovic, Oracle
Maherry believes organisations must think strategically, but start tactically. A strong authentication project often kills two birds with one stone. You remove the vulnerability of weak passwords and password management, but at the same time, you get to review your existing identity management process and systems. This way, you can quickly identify where you might need to make further investments.
One of the biggest mistakes businesses make is failing to invest in identity upfront, says Andre Witte, MD at 48 Software. Businesses regularly implement identity after the fact. This means that applications must be retrofitted at a later stage, which delays time to market. Similarly, says Witte, many enterprises attempt to reinvent the wheel, trying to change the way identity is done, instead of just sticking to existing industry standards that enable interoperability within apps.
Responding to changes
We've long advocated a move to what we call 'Identity 4.0', which sees organisations moving away from environments where identity information is kept in thousands of isolated pockets, with each pocket being governed and regulated using different standards and protocols, states Coetzee. The industry must consolidate, regulate and reorder the identity ecosystem, with only one custodian of identity information - something like Home Affairs. Businesses can then use biometrics to validate the user's identity against information housed in this central repository. In this way, users are easily accurately identified without any private organisations owning their identifying data.
Will passwords soon become a thing of the past?
When Dragan Petkovic, security product leader for ECEMEA at Oracle, first started working in the security space, which was about two decades ago, there was a lot of hype around the death of passwords. "Many of the vendors who made those claims are no longer in business, but passwords very much are. The reality is that passwords are cheap, simple and efficient and this is why they refuse to die." But passwords alone are not enough, he says, which is why we are seeing the introduction of additional security devices like fingerprinting and risk-based authentication.
According to Marius Coetzee, CEO of Ideco, passwords are falling out of favour because they are too easily shared, stolen and forgotten. A password does not confirm that the person entering a premise or accessing a system is in fact the person authorised to do so. The only accurate way to authenticate a user is to use their unique biometric markers - like their fingerprints, iris, facial features or even palm vein. This means that a user can be accurately identified, pass into restricted areas and bypass time-consuming paperwork in any number of scenarios, in the blink of an eye or with the wave of a hand. Literally. Fingerprint scanners, as well as facial and voice recognition technologies, are already being used to open accounts and authorise financial transactions and will be used more and more widely. But Coetzee cautions that even biometric characteristics can be misidentified should inferior biometrics scanners and technologies be deployed.
Biometrics plays a key role in user authentication, bringing the user's identity much closer to the actual person, notes Andre Witte, MD at 48 Software. Biometrics also makes it easier to provide a consistent experience across all platforms.
Could blockchain be the answer to identity management and access control concerns?
Blockchain is reshaping the whole security industry and identity management will be no exception, notes Petkovic. "I believe blockchain-based identity will put the user back into the driving seat. In a world where entities will not fully trust each other, blockchain will give users control of how much data they are willing to share," he says.
The concept of self-sovereign identity management - which basically means that you manage your own identity and elect who to provide it to - is an interesting concept that technologies like blockchain can facilitate, according to Maherry. While this is not the only possible approach, the properties of blockchain, including its public distribution, make it an interesting tool for a tamper-proof, public identity registry.
While Roy Alves, country manager for Axis Communications, agrees that that blockchain presents some interesting opportunities, he is still wary about calling it an identity management cure-all. Alves stresses that there are still many obstacles that stand in the way of using blockchain to implement identity management broadly moving forward.
With so much talk around legislation like PoPI and GDPR, how do these laws challenge organisations to amp up identity governance?
PoPI and GDPR bring together data management best practices that organisations should be following anyway, says Petkovic. But with these formal, legal frameworks in place, we're finally giving data governance issues the attention they deserve.
PoPI and GDPR mandate that we secure all identity information we collect and process, states Maherry. Successfully safeguarding this information is ideally achieved using a combination of strong authentication and encryption strategies, which is a whole other discussion, he continues. In order to properly comply with regulations like PoPI and GDPR, enterprises must go back to basics and determine what information they hold, where it is stored, whether or not they have permission to hold it and, if not, they must go out and get explicit permission. Once all of this is established, the business can put protocols in place to guarantee that only people with a right to access the data can access it, which is what identity management is all about.
If nothing else, this legislation forces businesses to update their current procedures and reevaluate these protocols more frequently, says Alves. Modern business must stay on top of technology, and shouldn't try to catch up or respond after something happens. By then, it may be too late.
Cleaning up your act
Sometimes the greatest risks are hiding in plain sight. For Vox's Mayleen Bywater, these include:
- Unlocked computers: When computers are left unattended, anyone can access key data and could cause critical business data to be leaked.
- Poor password management: Typically, employees are required to use a password to access each of the many different system they log into each day. It is, thus, unsurprising that people utilise the some passwords across everything and that these passwords often include gems like `123456' and `password'. If a hacker cracks this password, they can gain access to all networks and sensitive data.
- Policies and rules: Businesses must have a clear understanding of who has access to what data. As part of this, it's essential for access policies to be altered when a person moves to a new position or leaves the company.
Identity management mayhem - learning lessons from Equifax
Last September, as the US was buckling down in preparation for the arrival of Hurricane Irma, the Atlantic's largest-ever storm, a storm of a different kind was brewing. Equifax, a consumer credit reporting agency, announced that it had been hacked earlier in the year and that information about 143 million Americans - including social security numbers, birth dates, addresses, etc. - had been compromised. With this information in hand, criminals had a pretty solid chance of convincing a call centre agent that they were indeed someone else. This was especially because they had access to the type of information commonly used in online security authentication questions. Described as the biggest security breach of 2017, the Equifax incident showcases exactly why identity management is so important.
This article was first published in the August 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.