In this interview with Help Net Security, Miles Hutchinson, CISO of Jumio, talks about the pain points of identity and access management and the importance of strenghtening identity strategies.
After a year of major cyberattacks, it’s clear that identity and access management still needs strategic changes. Where have organizations gone wrong?
One of the biggest takeaways from the SolarWinds attack was that it served as a reminder to the world that identity infrastructure is a target. Organizations need to realize this pattern and implement identity verification accordingly.
The usual identity-related security issues and challenges organizations face are typically caused by outdated identity and access management (IAM) solutions or a disjointed approach to identity verification, which can leave cracks and vulnerabilities in an organization’s attack surface.
Historically, organizations with identity verification needs have used countless solutions to verify user identity, examine identification and supporting documentation, authenticate them each time, ensure they are not on any watchlist, etc. However, this approach is costly, complicated and creates additional security risks because it does not adequately spot cybercrime and holistically verify user identity.
What should security leaders do to optimize identity strategies?
To combat today’s emerging threats, security leaders must rethink their identity security strategies and approach online identity assurance holistically by consolidating identity verification services whenever possible. For example, there are now unified platforms that not only assess the risk of an individual, but also the devices associated with them, the IDs they have used and their facial biometrics — all through a single application programming interface (API) layer.
With modern, end-to-end identity verification technology in place, it is less likely to have vulnerabilities in identity and IAM systems that hackers can exploit to gain access to sensitive internal data. That is why many security-first organizations are now moving toward a single, comprehensive identity verification solution that consolidates capabilities from confirming user identity to maintaining compliance.
What could be the challenges in achieving identity management optimization?
Digital identity management can be highly complex for enterprises. Many organizations face identity sprawl due to the thousands of identities they need to verify and secure, which includes human (employees, customers), machine (bots, devices) and application identities. Additionally, the level of technical debt and security baggage that comes with historic solutions can have a detrimental impact on the speed of change or the willingness to even consider a significant change to an organization’s identity management approach. However, it is this apathy or level of “leave it as it’s too complicated” that plays into the hands of the bad actors.
Making bold steps and big decisions on subjects where the associated risk may not be obvious to the board or the executive team is always a challenge for security teams to enjoy, but security teams really need to speak up, find their voice and help their businesses understand their identity management risks in context to the performance of their companies’ goals. Standing still is never an option in security, as it will more often than not result in you being caught off guard.
What role does automation play? Could it be the solution to the problem?
Automation is critical to achieving identity assurance at enterprise-scale due to the extraordinary complexity and massive volume of human identities, machine identities and application identities. IT and security teams must utilize automation to continuously manage and protect these identities because it is impossible to keep up with the volume of identity verification requests manually.
To achieve automation, many enterprises leverage augmented intelligence — automated systems that function based on the direction or input from humans. Augmented intelligence uses machine learning and natural language processing to analyze data at scale and provide real-time decision-making for the identity verification process.
How do you see identity and access management evolving in the future?
As mentioned above, consolidation of identity verification solutions into one end-to-end platform will be a trend we will continue to see in the industry over the next few years. By 2023, 75% of organizations will leverage a single vendor for identity verification capabilities and connections instead of using various other third-party solutions for identity proofing and affirmation, an increase from fewer than 15% in 2020.
We’ll also see an increased focus on the topic of digital identity. COVID-19 has catapulted digital identity from niche technology circles into mainstream political debates. The pandemic forced governments to realize the importance of providing and validating identity information remotely for resilient operations, so it has risen on political agendas around the globe. Looking ahead, Bring Your Own Identity (BYOI) or identity wallets will enable users to select an assurance identity (such as a government eID or bank identity), to assert their identity when accessing separate organizations’ digital assets.