Content Copyright © 2020 Bloor. All Rights Reserved.
Also posted on: Bloor blogs
Remember the days way back, when you turned up at the office for the first day of a new job. Likely, you were assigned a desk, a computer and some sort of identification badge for entering the building. Before the computer had been assigned to you, a system administrator had set it up, configuring it for your needs and providing access to applications and resources needed to do your job. They provided you with an “identity” so that you and your entitlements could be verified.
Today, the world seems like a very different place. For many, the office may already seem like a distant memory and it is far from guaranteed that the computer that you use for work is provided by your employer. Even the applications that you use may be supplied by a third party in the cloud. The vast majority of people have a powerful phone that is capable of connecting not only to the internet, but also to company-sanctioned applications, even if they own the phone themselves rather than their employer. A far greater degree of control has been handed over to the individual.
The world has moved on
In the world of today, identities must still be managed for the core purposes of verification, authorisation and authentication. But traditional methods of identity management are no longer good enough. Not only has the world changed as networks have expanded beyond the walls of an organisation, but privacy and security are top of mind these days – and there are regulations that demand that this is so. For adversaries, credentials are a goldmine. Users are routinely phished, with the main purpose being to trick them into giving up their credentials. Where this is a simple password and username combination, it can be enough to allow an attacker to gain basic access to a network. But where the credentials provide privileged access, such as the ability to read and alter sensitive data contained within the extended network, the potential for damage is increased significantly.
If an attacker does manage to gain extensive access to network resources, they will often find vast swathes of sensitive information collected in databases, including personal information related to customers, suppliers and employees. Inadequately secured, such data stores provide rich pickings for criminals and can have dire consequences such as identity theft, regulatory non-compliance and reputational damage.
Trust is the basis of identity management
If managing identities is to work, trust is an essential element. Yet, most traditional technologies in this field placed convenience over trust, security and privacy. Going back to the first day at work scenario. Imagine that on the first year anniversary at work, you are promoted or moved into a completely different department. The entitlements needed for accessing resources will likely be quite different, but it is all too often the case that old entitlements that are no longer needed are not rescinded. When those entitlements provide privileged access, the problem is even greater. Trust can all to easily fall by the wayside.
These are some of the prime reasons why privileged access or identity management is such a hot topic. Among those analysts who seem to spend most of their time counting things there seems to be agreement that it is the top priority for organisations in terms of their IT security investments. But, with all entitlements, things change. If someone needs to access a database for a particular task, they should not be granted a blanket entitlement to do so, but should rather just be given privileged access for that one event. Then, the access should expire just as a key is returned when it is no longer needed. If access is needed again, access to the key can be granted. People are known to be not very good at managing their credentials, so why should someone be trusted with those credentials that give privileged access?
There is a Russian proverb that translates as “trust, but verify.” In traditional identity management systems, that was turned on its head. They worked by verifying who someone is, then trusting them based on that one verification event. Single sign-on is a manifestation of that. A person provides their credentials once and is then given access to a wide range of applications and resources, according to their entitlements. The obvious benefit of this is convenience, but the downside is security risk if some of the applications provide access to sensitive data.
Where access is to be granted to sensitive data, a best practice is to require an additional layer of authentication to provide greater assurance that a person is who they claim to be. This is called multifactor authentication and can be achieved by a number of means, including the use of a security token provided to an individual for this purpose or a one-time password. Increasingly the use of such step-up authentication is included with privileged access management implementations.
But this does not get around the problem of the one-time authentication event. What if a person authenticates and then walks away from the device they were using, or that device is stolen or legitimate credentials are stolen by a third party. Increasingly, identity management solutions are taking this into account through the use of continuous authentication so that authentication is seen as a process, not a one-off event. This is where machine learning and advanced analytics come into play.
Such systems look to incorporate contextual information regarding authentication, not just blindly trusting that the credentials are valid. Context can be provided by a wide range of variables. One example is the location of the user. Should a user log in from one location but the log records show that the location has changed to another perhaps an hour later, than is an indicator that the account may have been taken over.
Machine learning can be used to create a baseline of behaviour expected for a particular role or user with analytics used to show where behaviour has deviated from the norm, for which contextual information is essential. Some vendors have coined the term behavioural biometrics, which uses identifiers such a how a person types on a keyboard or by analysing attributes such as their signature of voice patterns. When all these factors are taken into account, risk scores can be generated upon which decisions can be taken, such as denying an action or asking for further proof of identity, even in the middle of a session.
Capabilities such as these will enable organisations to get closer to so-called zero trust, in which no one person or device is trusted by default but rather continuously authenticated and authorised according to identity and the security posture of each access request. Identity management and authentication are central to the concept of zero trust, which requires that a least-privilege model is followed. Only those granted access for a specific task may do so and everything else is blocked by default until actions are properly verified.
Individuals must trust the system as well
In the world of modern identity management, there is another aspect to trust. Given the number of breaches that occur, why should any individual trust any organisation to manage their personal information for them? Not every service is guilty of this, but it is often the case that when an individual signs up to use a service, they are required to provide their personal information to do so and the information requested is often way more than should be reasonably needed. Individuals need to be given the power to decide for themselves how much information they need to divulge. For example, their physical address may be needed for an online purchase to be delivered, but is often requested merely to read an article online. Similarly, people are often requested to supply sensitive information such as their date of birth when all a service needs to know is whether or not a person is of legal age for a particular activity.
This has led to the concept of self-sovereign identity, whereby individuals attest to and own their own personal information, which they store themselves and give out on an as-needed basis. There is no need for that information to be stored in someone else’s repository for which the levels of security are unknown and likely not regularly tested. Whilst some of that information likely comes from official sources, such as a government, the individual is given control about how it is used.
These are just some of the concepts making up modern identity management needs. They represent significant changes from the way that things were done in the past. Bloor Research is looking to undertake considerable research into this area to show what the changes really mean and what they can do for individuals and organisations alike. If you are interested in featuring in this research, please contact my colleague Jessica Love.