We never really mastered physical identities but now we are creating a world where digital identity will control access to almost everything we do. Identity fraud has been a huge and increasing problem in recent decades but we are putting more of our eggs in the identity basket. Hacking is a growing issue in every aspect of our digital world, yet we strive to make our identity more digital. An important question is being ignored; are we ready for digital Identity and access management (IAM)?
“Identity is at the top of the mind for all our clients when we talk to them about their journey to the cloud,” says JD Sherry, VP of Cloud Security at Optiv. “We typically focus on the identity piece because it really is the new perimeter. As more and more workloads, applications and services move to the cloud, coupling that with a strong identity strategy is pivotal for all organisations,” he added
In our increasingly digital environments, that come hand-in-hand with heightened security threats, a carefully chosen username and password is just not enough anymore. The latest IAM systems have begun to incorporate elements of biometrics, machine learning and artificial intelligence, as well as risk-based authentication. These provide multiple layers that make it more difficult to fool the system.
The most obvious example might be Touch ID, the fingerprint access control function for iPhones. Recent Windows 10 computers also provide fingerprint sensors but also iris scanning for even higher level user authentication. The next iPhone, set for release later this year, is rumored to include iris scanning and possibly also facial recognition to authenticate users instead of just fingerprint scanning.
These consumer products are familiarizing us with the use of biometrics for access control. Now, more and more buildings, vehicles and other elements of our lives are adopting biometrics for greater security and more convenient accessibility. Wearable and implanted technology is also being considered. However, not all identities in this new world have a biological side, machines must also know which machines to trust without human verification, and that creates a new set of problems.
“Not only is it people’s identities that you have to worry about but also machine to machine identities too, and how those things are tracking. It’s broader than just you and I as individual identities but also what are machine identities doing on the network and how does that dovetails into your IAM strategy,” explains Sherry.
Take the IoT for example, we must be able to make sure that the sensor is providing the information, rather than someone who is pretending to be the sensor and feeding in fake information for whatever reason. Without such a barrier, we are setting ourselves up for disaster.
“Opportunity for man-in-the-middle attacks could be catastrophic – not to put too much fear mongering in – but that’s really where we are evolving if we don’t get the identity piece right with IoT, cloud computing and all of those different mechanisms,” says Sherry.
However, as with many things in this new world, we are going to do it anyway – because of the benefits and because we have become accustomed to identity risk. Six months on, the massive outcry over the 143 million people’s identities stolen in the Equifax data breach has subsided, and we have continued to move in the same direction.
We just need to strive for and hope that we can get things right without too many tragic events along the way. It is also fair to say that we will probably never get to a stage where identities are completely secure. We will live with the risk, attempting to improve security at a quicker rate than hackers can develop ways into our systems. All stakeholders need to understand the risks of the connected world and develop strategies to protect human and machine identities from attack as best we can.
“When we speak to clients, they know that their organisation is spinning aggressively towards cloud computing and moving workloads. Many times they don’t have a core identity strategy, even on premise,” highlights Sherry. “They kind of thought, when moving to the cloud, that everything would just magically get better but more work still needs to be done.”