19 May Levelling up your security with identity management
Ensuring only the right people have access to your organisation’s infrastructure is a vital part of any security strategy – are you ensuring only those who need to, have access? asks Philip Ingram MBE
Identity management, also known as IdM, provides the necessary processes and tools for managing identities and roles within an organisation. And it’s becoming increasingly important to help combat the growing tide of cyber attacks.
According to PwC’s 2022 Global Digital Trusts Insights survey, 43 per cent of respondents in the Middle East are expecting to see a surge in reportable cyber incidents this year, in comparison to 2021. With the risks of a cyberattack at an all-time high, IdM can add that extra layer of protection to ensure you know who is accessing your data.
Individuals can be identified and then authenticated and authorised to access the information they need – and only that information. And conversely those who should not be privy to this information are kept out.
Leading the way
Within the Middle East, the UAE is leading the way with IdM. The UAE has already surged ahead in adopting IdM Technologies across several sectors. For example, in March 2021, the UAE announced facial-recognition smart gates. The biometric technology uses face and iris-recognition technology to let travellers’ complete passport control procedures in only a few seconds. Additionally, most digital banks in the UAE have advanced security features including multi-factor authentication, biometrics and various cyber-security protocols. Of course, rapidly emerging is the Metaverse and the impact that will have on knowing who you are dealing with in reality in a virtual world.
Dr. Hani Ragab is Associate Professor, Director of the Institute of Applied Information Security at Heriot-Watt University. He says: “Authentication, authorisation, and audit technologies fall under the umbrella of IdM. Authentication systems are classically categorised as something I am, something I possess, and something I know systems. For example, in the something I am authentication systems, biological (e.g., retina scan, fingerprint) or behavioural (e.g., typing pattern, walking pattern) features could be used to identify users.”
Bahaa Hudairi, Regional Sales Director META, at Lookout, highlights the technology behind IdM, especially in the increasing hybrid working environment: “For corporate IT departments and leaders, cloud first infrastructure architecture allows their organisations to rapidly deliver necessary hybrid working environments, and adapt quickly to emerging trends, opportunities, and challenges. Increased productivity and remote collaboration on cloud-based platforms has only accelerated because of the pandemic and is at the heart of growth or divestment plans for most organisations today.”
The human touch
But they’re not completely fool-proof and neither can they operate independently of humans either. As Brian Chappell, Chief Security Strategist, EMEA & APAC at BeyondTrust points out: “The policies are still highly dependent on humans, to define the who needs access to what, when and how. Humans are also still leveraged in confirming and attesting that the accesses that should have been granted are what was granted at the end system. The latter is a significant issue that persists because the authentication of a user isn’t directly linked with how a system authorises the user within it.”
Dr Ragab continues: “Human input and contribution are required at different levels, ranging from C-level executives to employees, and even visitors and contractors. In the context of IdM, human input will be always required until rule-based systems and AI techniques reach an acceptable level of maturity. For example, access audit processes cannot rely on using an automated system alone.”
It’s a sentiment Hudairi agrees with, summing it up nicely: “In the same way that threat actors and APT groups are made up of highly capable individuals leveraging technology to mount their attacks, corporate IT technologies are only as good as the humans employed to govern and operate them.”
With any technologies, especially in early days of implementation the challenges they generate are sometimes as big as the problems they resolve.
One of the biggest challenges is the changing threat landscape. According to Chappell: “With each evolution of the perimeter of our systems, from standalone machines on desks through LAN, MAN, WAN, Internet, and now Cloud, the attack surface available grows dramatically. Identity is now a clear part of that attack surface, and we have to ensure we have appropriate controls in place while simultaneously handing off the operation of the identity infrastructure to third-party vendors. It needs a paradigm shift in how we think about identity and how we address securing our systems.”
Hudairi adds: “The threat landscape is changing rapidly. In the last 2-3 years, threat actors have successfully moved to cover their tracks in many ways, successfully sidestepping legislation, avoiding security services, and leveraging cryptocurrency to conduct and fund their activities with impunity. Consortium groups have shown amazing agility in employing aversion tactics, and RaaS (Ransomware as a Service) platforms have combined with the anonymity provided by crypto to deliver crippling campaigns against every industry from Finance to Healthcare.
“The world’s largest and seemingly most secure environments have fallen foul to the increasing sophistication in malware and the holes in security that still exist by way of smishing and consumer apps. Mobile devices have introduced a new range of attack vectors not found on traditional PCs such as ‘surveillanceware,’ SMS and mobile app vulnerabilities.”
Dr Ragab highlights that not all challenges are threat related, saying: “Federated identity management systems, involving multiple organisations with different policies, can easily become complex to manage and a burden for involved organisations.” This is an example of where technology gets ahead of common standards being implemented.
Looking to the future is critical according to Chappell: “With the accelerated move towards the cloud, the attack surface is increasing while our ability to control that attack surface directly shrinks — we are relying on cloud providers to secure much of that. We see increasing adoption of external Identity Access Management (IAM) / Cloud IAM (CIAM) solutions that also offer authentication, single sign-on, centralised directory services, multi-factor and B2B integrations among others.
“Cloud Infrastructure Entitlements Management (CIEM) looks to ensure that the management of the underlying cloud infrastructure is appropriately provisioned across cloud platforms, the lynchpin of Privileged Access Management of the Cloud. While there are industry-standard protocols for much of the interaction related to identity in the cloud, there are still many to choose from and not necessarily clear winners in every category. With solutions that bridge the gaps between the various standards, it’s likely to be something we must accommodate long-term, though it should become easier with time.”
From a risk and threat perspective Hudairi says of the future: “Basically, any user or device that could potentially access your cloud data is a risk point, so organisations will continue sizing up their environments, assessing cloud services fully against risk databases, and implementing a zero-trust philosophy across the entire infrastructure to help mitigate the risk of ransomware.”
He adds: “Organisations are gradually taking a much more data centric focussed approach to their security needs, with the need to understand and meet with defined use cases that the business presents. In doing so, many are beginning to understand the power of a cloud access security broker (CASB) solution that helps implement the necessary visibility and security controls required to effectively protect corporate information across a range of device types and big cloud providers.”
However, no discussion on identity management and the future would be complete without looking at the potential issues around the Web 3 enabled Metaverse as it seems to be cropping up more often in global commentary and where lives can be immersed and business transacted in this new world, IdM will be critical.
Chappell was very clear: “There are a number of ‘metaverses’ emerging and all altering the representation of the services they are built upon without really changing the services themselves. With that in mind, the challenges will remain the same, certainly as far as identity is concerned. Whether you’re chatting to someone on Microsoft Teams, Workday, Meta or Viveverse, they need to have a relatively high degree of confidence that it’s you on the other end. Virtual or Augmented Reality is great for the applications where it adds something to the experience but it’s still early days and whether chatting to an avatar in a virtual environment is better than a video call is still yet to be proven.”
Hudairi concluded succinctly: “The Metaverse simply amplifies the same issues with identity and security we face today. Consumers and corporate IT will need to be convinced that the virtual avatar communicating is actually the employee and not a threat actor. Having witnessed the way our first factor of authentication has been so easily lost by products and services we employ, the largely incompatible metaverses of the future will need to convince us that they can effectively protect our much more personal and sensitive biometric information.”
IdM is an area that is critical to what we do today but becoming more important as we prepare for the technologies of tomorrow. Chappell issued a note of caution: “While these solutions offer centralised management and single identities, there’s still a plethora of authorisation models often using different terminology for the same, or highly similar, accesses or access levels.”
As was ever the way, gaining and maintaining an understanding through the soup of terminology is one of the biggest challenges.