Identity Security is now regarded as the “digital front door” to the network, spanning across users, devices, applications and infrastructure.
In the 1995 movie The Net, the protagonist Angela Bennett (played by Sandra Bullock) – a computer professional who tests new (security) software for bugs and removes viruses from people’s computers – accidentally gets into hot water and is pursued by agents from three letter agencies. In one of her chatroom sessions online, a friend lures her to click on a pi symbol on a website seemingly devoted to Mozart. Doing so enables them to access Bennett’s computer files. Her identities – driver’s license, credit cards, bank accounts – are all deleted. She loses her apartment and worse, her records are erased in census databases, making her identity non- existent. This is an example of how digital identity theft could impact an individual. But it can also apply to organizations like ours.
This incident can happen to any of us today, as our identities are digitalized, and we use them to log into online services on the Internet. Identities provide access to resources on internet or on-premise. As more organizations move their infrastructure to the cloud, Identity and Access Management solutions become significant. Employees also work from anywhere today and access company resources from the internet or VPN. This calls for stringent access control governed by identities. An Identity and Access Management (IAM) solution secures digital identities; IAM is essential for the adoption of Zero Trust models in the enterprise.
What are Digital Identities?
It’s natural to think that identities are only for people. But in the digital world that we live in today, with personal and business assets increasingly digitalized, identities are available for applications, workloads, systems, and electronic devices.
A Digital Identity is a unique piece of information used to identify an individual, an organisation, a device, a workload, or an application.
Let’s start with people. We have login credentials for accessing our email, bank accounts, the online newspapers we subscribe to, e-commerce sites we shop at, and the government services we use. There are credit card numbers with unique PINs and CVVs. Governments issue national identity numbers to citizens – social security numbers in the West or Aadhaar number for an Indian citizen. Tax authorities in India issue PAN IDs to individual tax payers and TAN numbers for corporations responsible for deducting tax at source (TDS). Entrepreneurs and organizations in India need to have GST numbers to conduct business.
For devices like smartphones, computers, and IoT devices, there are MAC and IP addresses. These connected devices need to be uniquely identified since they are used for sending and receiving information via the Intranet / Internet.
Applications are interconnected via Application Program Interfaces (APIs) and have unique identifiers.
Workloads have global task IDs, and session IDs. UUIDs or Universally Unique Identifiers are used for identifying information exchanged through global databases. These are also used for tracking information.
Identity and Access Management Challenges
An organisation’s IT infrastructure was once centralised with all resources in an on-premise data centre. There is “perimeter security” in the form of a firewall – security software or an appliance that inspects all data packets leaving and entering the enterprise network. The analogy is our building security checkpoint at the main gate. Security personnel question all visitors and call you on the intercom for permission to allow them to pass through and visit our office / home.
But as IT infrastructure moves to the cloud and employees start working from home and remote locations, the infrastructure becomes decentralised. With the availability of online / VPN services, employees along with assistance from the IT department, helped themselves to access services on the cloud with a swipe of their smart cards or various authentication mechanisms. A resource for storage, for instance, is a service like Box or Dropbox. IT department facilitates resource provisioning and a self-help approach also known as “shadow IT.”
Enterprises too started moving pieces of their IT infrastructure to the cloud, as the cloud offers benefits like cost savings, flexibility and scalability. To do this, they transformed their business processes and IT infrastructure – or embrace Digital Transformation.
Digital Transformation in organizations accelerated during the pandemic, as more employees began to work remotely. Customers started consuming services through apps. So, we also witnessed consumers embracing digitalization. Food delivery apps with food ordered from “cloud kitchens” is a prominent example. Online shopping and OTT entertainment apps are a few more examples. People stayed at home during the pandemic and started consuming services from the cloud via apps.
To remain competitive, businesses had to embrace digitalization at a rapid pace and advance their digital transformation plans. It was either that or bankruptcy and losses.
With the proliferation and rapid adoption of cloud services, enterprise IT architecture and infrastructure became decentralized too. Organizations now have their infrastructure spread across multiple clouds from different service providers: Microsoft Azure, Google Cloud Platform, Amazon Web Services and other alternative cloud providers such as Netmagic and Snowflake. As resources spread in multi-cloud or hybrid clouds (on-premise and cloud), identities get further distributed. We experience “identity sprawl” which makes visibility and control of identities a huge challenge.
To compound this problem, employees have started using their personal devices to access resources on the enterprise network. And as we know, the security on personal devices is not as robust as what one would find on a company-issued laptop or server behind a firewall.
With the advent of IoT and IP-enabled devices, thousands of devices are connected to corporate networks. This compounded the problem. Remember, devices have identities too.
In the industry, people say the increase in devices and identities, especially from remote locations, “broaden the attack surface.” In plain terms, there are now more doorways to secure.
Let’s explain this using the real-world analogy of building security. Imagine what would happen in your society if there were more entry points to your society compound and not all of them were locked or manned by security personnel – or if there were no CCTV cameras. The likelihood of a security breach increases manifold.
Why is it important to Secure Identities?
Bad actors and hackers observed the decentralisation of IT infrastructure and turned their attention to devices used by remote workers. We use the term “endpoint” to refer to these devices. These bad actors know very well that home networks and endpoints are not as secure as required. When was the last time you changed the password on your home router? Every security professional knows that home routers have default passwords that are known to hackers.
Employees who do not practice security hygiene are careless about clicking on malicious links in phishing emails. This very action throws open the gates to the corporate network, as the user endpoint is connected to the enterprise network via the internet. Hackers try to steal identities and credentials from end users. Credentials are your login details.
According to a report, 80% of attacks originated through compromised credentials. Over 90% of all organisations have experienced a breach that stems from a poor identity security.
The report also states that Identity Security is regarded as the “Digital Front Door” to the network, spanning across users, devices, applications and infrastructure. Trends like Zero Trust and Cloud security increase the importance of Identity Security, and the use cases and capabilities evolve through the advancements, both positive and negative.
Identity and Access Management (IAM) solutions can secure digital identities. The report expects the IAM market to grow between 2023-2026, with most companies focused on the Employee Identity market and speciality vendors targeting the Privileged Account sub- segment.
