Who Are You, Really? A Peek at the Future of Identity

  /     /     /  
Publicated : 23/11/2024   Category : security


Who Are You, Really? A Peek at the Future of Identity


Experts dive into the trends and challenges defining the identity space and predict how online identities will change in years to come.



Identity and identity management are top-of-mind for security leaders across industries. Which data is sufficient to prove people are who they claim to be? How can identifiers be protected? And what happens when a malicious actor gains access to the data that proves you are you?
It is one of the hardest things in technology that we have to deal with, says Wendy Nather, director of advisory CISOs at Duo Security. The identity challenge is growing in size and complexity as businesses improve communications, technology, and data integration.
Twenty years ago, Nather explains, every business sort of operated like its own island. Each had its own data center, and the types of data theyd send back and forth were very restricted. Now theyve integrated more automation and transaction types between organizations.
A typical Fortune 500 company could, for example, connect with hundreds or thousands of third parties. Managing those connections, and limiting them to only those that are necessary, is one of the many issues driving complexity in the identity space. Add outsourcing and cloud services, and things get even more complicated for organizations.
A number of functions now lay outside their control, Nather says. For third parties managing different clients, and businesses making sure third parties are doing the right thing with their permissions, its a multifaceted challenge that will only grow as consumers jump into the mix.
Adds Ian Glazer, founder and president of IDPro: We dont have an answer to the problem of identity for consumers throughout their lifecycle.
Identity Challenges: Whats Top of Mind
Glazer points to the issue of identifiers: names, phone numbers, email addresses, and other data that make up our online identities. In a security breach, identifiers are spread to third parties who can use them to assume others identities.
One of the things that has been a problem for a long time, and will continue, is the relationship between people and their digital identity, Glazer says.
Its an issue well have to worry about in our increasingly connected society: How well do people protect the link between themselves and the data that identifies them? When were proving our identity to online services, how do they know were the person we claim to be?
Ideally, each of us would have our own immutable online identity to denote who we are. But the biggest problem for businesses, says Nather, is that identities evolve.
Businesses are made up of people, and people change all the time, she adds. Identities shift when companies are acquired, when partners change, and when people leave the organization. We dont have a good way of making trustworthy and trackable changes, she points out.
This prompts a question of how to make a trackable chain of identity ownership. Blockchain typically comes up here, Nather says, but there are problems. Blockchain is hard to correct, for starters, and humans make mistakes. She doesnt think the answer is in technology alone, but rather a mix of technology and process and a trusted group to supervise identity changes.
The identity issue will continue to grow as breaches expose more of the information people use to identify themselves online. Account takeover is huge, says WhiteHat Security founder Jeremiah Grossman, alluding to the myriad ways in which attackers leverage the identities they steal and purchase online. Your online persona, your identity, your accounts ... thats you.
Yet identity is more than a user ID, notes Brunswick CISO Alan Mitchell. Employees identities tie into the system – what the system is accessing, applications people use on a regular basis – and all of those things tie into, and make up, a complex identity that could be a target for compromise.
As we become more reliant on the Web, the attractiveness of account takeover goes way, way up, Grossman says. Not just for the high net-worth people, but the people that surround them.
The Problems With Solutions
Think about how you interact in the real world: You get introduced, first interactions are formal, and over time you recognize people by their looks, voice, etc. One of the paths we should be on as an industry is moving from authentication to recognition, IDPros Glazer says. Online, we constantly reintroduce ourselves every time. What we dont do is recognition ... and that gives the attackers the advantage.
We need to move toward a world in which machines recognize us by the way we interact with them, he continues, but the problem is this requires participatory surveillance. People have to volunteer personal and behavioral information (fingerprint, typing cadence) so devices will recognize them. On top of that, we dont have a common language to explain to consumers and employees how this recognition works and why its necessary.
If you want the individual to be an active participant in the process, its incumbent they understand what the process is, he says. Its also incumbent on businesses to use the information appropriately and for its intended purposes.
When Duo Securitys Nather thinks about the future of identity in a business-to-business context, she says trusted intermediaries will surface to handle the exchange of identity data between parties. If several companies in one industry have trusted intermediaries specific to that sector, they will be more likely to use that organization to handle identities among companies in the space.
Figure 1:
(Image:
Fgnopporn
– stock.adobe.com)
She points to retail as an example. Most stores have to identify customers, which is easier to do via trusted intermediates – for instance, payment processors – rather than identifying individual customers themselves. Retailers can use payment processors to facilitate payments, and Nather anticipates well see greater consolidation of payment processing. Chances are, because the intermediarys specialty is identity management, itll have stronger security.
There are implications for centralizing trust and identity, she continues, and one key issue is availability of data. Centralized data is less available; if a business relies on five different identities, theres a greater chance something will go wrong. A second problem is privacy.
We dont tend to place our trust quickly and easily, especially when it comes to payments or aspects of identity that are very personal, Nather explains. Even when an intermediary seems to be trustworthy, trying to verify whether it can be trusted will be a separate question.
A New Form of Fraud Prevention
One company doing something different in the identity space is Arkose Labs, which aims to prevent account takeovers, fraudulent logins, spam, ticket scalping, and multiple payment authorization attempts by identifying and blocking attackers. Companies including Electronic Arts, Singapore Airlines, and GitHub use its tool to prevent abuse before it occurs.
One recurring issue in identity is verifying users are actually who they say they are, says Arkose Labs co-founder and CEO Kevin Gosschalk. Businesses have tried to make authentication easier for users with fingerprint logins and multifactor authentication; now theyre trying to remove passwords altogether. People generally dont like to do extra steps when they log in to do things online, he adds.
The tool aims to verify the person logging in is the account holder. If the system sees a user attempting to log in and doing something suspicious (credential stuffing attack, for example), it will look at the behavioral signals and trigger enforcement when it notices unusual patterns.
The goal is to make it more expensive for actors to conduct attacks that leverage users identities. The tool never blocks or drops a user, even if its suspicious. It instead presents them with increasingly complex challenges – things a human could complete effectively but are difficult for a script to get around. For example, it will present an image of a dog, but the image is a 3D model that commercial software wont be able to interpret in real time.
Grossman, who is on the Arkose Labs board, joined the company over two years ago because he says its tackling the problem is ways other companies have not – and its changing the game for attackers, who cant get past it. He describes Dark Web message boards, where a community of cybercriminals express frustration over what they call Funcaptcha.
Any time Arkose comes up, you really see them whine and complain because they cant get past it, and the cost is going up, Grossman says. He expects the companys approach, which uses computer-generated avatars, will work long-term to prevent account takeover abuse, generating fake accounts, airline price scraping, and other forms of online fraud.
Case Study: Identity in the Cloud
Brunswick shifted its approach to identity management when it switched from a data center-centric model to a cloud-first approach.
People are scared of moving to the cloud, Mitchell says. In order to embrace and utilize that technology, one of the things Brunswick has done is focus on identity as the new edge. Were focusing on using identity as the point of protection for its new form of infrastructure.
Every company undergoing a tech transformation has different challenges depending on their infrastructure. For Brunswick, a 175-year-old corporation, Mitchell says there was a challenge in managing identities across myriad disparate systems and applications. As more people continue to adopt cloud, its going to be a natural transition for many.
Theyre going to need to have identity and access and access governance in place in order to protect that infrastructure, he explains. Brunswick, which struggled with access management and governance, realized it had to treat its cloud and SaaS platform as part of its identity management platform.
Access management and governance require more than just a tool, Mitchell continues, but a technology that implements smoothly with established processes and workflows so employees can manage access, identities, and governance. A few years back, Brunswick began installing SailPoints identity governance tools and realized its widespread influence on how employees operate. People were used to doing things with manual processes, he adds, and were shifted to a single portal.
Change management came easy for them, he adds, which he attributes to strong communication with SailPoint and education tools for employees accessing and using the system. You can have the best tool in the world, but if you dont educate people on how to use it, it wont be as effective as you hoped it to be, Mitchell says. In 18 months, the company saw an increase in the access provisioning efficacy; employees also had more time for other projects.
The main thing I would recommend to folks is understand your applications well, he advises other companies struggling with identity in the cloud. Much of the work relates to ensuring an application works and the process associated with provisioning is running smoothly.
Take the time to understand your applications and how it affects business processes. Take the time to make sure you have robust method for onboarding applications and testing to make sure onboarding works well, Mitchell adds.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Who Are You, Really? A Peek at the Future of Identity