Authentication innovation, identity and credential management

In this interview, Richard Parris, CEO of Intercede, talks about how the digital world has shaped our identity, the main catalyst behind authentication innovation as well as key issues you have to deal with when implementing identity and credential management.

How has identity evolved in the digital world? What kind of changes can we expect in the next decade?
The way that we think of our identity has changed more in the last decade than ever before in human history. Long gone are the days when a wax seal and signet ring were deemed proof of authentic identity, and now even the likes of passports and driving licenses have technology embedded within them.

As the world became more tech and digitally dependent the idea of identity had to be rethought for a digital age. The physical proof provided by documents you could actually reach out and touch became defunct as identities moved online: thus began the rise in importance of the password. Unfortunately as our lives became more intertwined with the Internet, so too evolved a new type of threat – the cybercriminal – with increasingly intricate ways of plying their trade.

It’s now almost universally recognized that the standard password is nearly as redundant as the medieval wax seal; yet the question remains – how do we effectively protect our digital identities against an increasing number of online threats?

At present we are on the cusp of something that could change our lives as much as the industrial revolution changed the lives of 18th century Europeans – the next ten years will truly be the dawn of the Internet of Things and Machine-2-Machine (M2M) communications. Gartner and IDC anticipate close to 212 billion connected “things’ will be in circulation by 2020 and as this space evolves and matures I anticipate that this will be the next challenge we need to brace ourselves for.

With the increase of the IoT the emphasis over the next decade will shift from the basic “cyber security’ argument to a more all-encompassing view; revolving around how we actually secure our lives and actions rather than simply an online identity. As a result of this I believe that there is a need for an identity-centric economy to emerge.

What is the main catalyst behind authentication innovation today?
There are three key areas I feel are driving authentication innovation today; some are human factors and others are technology related.

First and not least in importance is the role of human nature. It has always been natural for human beings to strive to advance, innovate and improve on that which has come before them and that is still the same today.
The last decade has seen a marked change in the relationship between employee and employer and the second catalyst is born directly from this social sea-change that has occurred. As initiatives like BYOD, remote working and employee empowerment took off so too did the speed at which device manufacturers and employers were required to combat the new challenges they faced. This inadvertently led to an acceleration of innovation in the authentication space (and a great many others) too.

Finally, as technology advanced both at corporate (cloud, virtualization, etc.) and consumer level, so too did the sophistication of cybercriminals. It is often the case that when confronted with difficulties we evolve the quickest and I certainly see the rise of cybercrime as a prime motivator for innovation in this area as well.

What are the key issues you have to deal with when implementing identity and credential management? How can they be resolved?
There are a number of reoccurring issues that have to be considered and navigated when thinking about identity and credential management. One thing is certain however, building higher fortress walls (no matter how effective they may prove in the short-term), is certainly not the ultimate “end-game’ solution: for this, individuals will require digital rights management and credentials that are bound to them rather than an organization or device.

As social trends move towards a “one device fits all’ approach they have thrown up a number of issues around the actual types of devices being used: laptops, tablets, smartphones and even smart watches all using different operating systems and types of software.

In addition to this there are an increasing number of employees/consumers using personal devices for work purposes; often accessing company data and networks from devices that do not adhere to corporate security criteria or firewall protocols. This not surprisingly causes considerable headaches for IT departments, but can be resolved by using device authentication software.

Another serious issue is the international nature of business today. Thanks to the ubiquity of the Internet and digital ecosystem we inhabit the province of international business is no longer reserved for the large, wealthy multinationals – it’s accessible to all. While I welcome this development (Intercede is a perfect example of a British SME succeeding globally) it does highlight probably the most widespread issue our industry has to combat; the lack of a universal regulatory body or acknowledged standards.

While the US has FIPS 201 as a standard and The FIDO Alliance does have some big players on board as members (Google and Visa) these by no mean extend to a universally recognized “Kite’ mark, thus uniformity and agreement over quite how online identities are represented and protected is often very difficult to obtain.
Through a legitimate and universally recognized body and set of standards these issues can be overcome. However, as with all international NGO endeavors, reaching a point where all parties involved are happy with the legislation is easier said than done, and we remain some way from achieving anything like this just yet.

Based on your conversations with clients, what are they most worried about?
One thing is for sure, the Edward Snowdon case starkly highlighted to the broader public the need for information to be stored securely. It should therefore come as no surprise that the increase of personal devices being used behind corporate firewalls is one of the most pressing issues that we are seeing from our customers at the moment. It’s a worry for the here and now, but one that we can combat with relative ease.

A worry that is gaining increasing momentum of late is that associated with the growth of the M2M sector. With billions of devices and “things’ connecting to the Internet our customers are becoming increasingly wary about the impact this could have on security. We now need to look at security in a much more holistic manner; it’s no longer simply communications security, but rather information security we need to be aware of.

At present it’s difficult to say with any degree of certainty what the impact of the explosion of the IoT will represent in the long-term, but if we adhere to the same process that we have with BYOD there is no reason to believe it cannot be handled with the same levels of efficiency and effectiveness.