In the 1995 movie The Net, the protagonist Angela Bennett (played by Sandra Bullock) – a computer professional who tests new (security) software for bugs and removes viruses from people’s computers – accidentally gets into hot water and is pursued by agents from three letter agencies. In one of her chatroom sessions online, a friend lures her to click on a pi symbol on a website seemingly devoted to Mozart. Doing so enables them to access Bennett’s computer files. Her identities – driver’s license, credit cards, bank accounts – are all deleted. She loses her apartment and worse, her records are erased in census databases, making her identity non-existent. This is an example of how digital identity theft could impact an individual. But it can also apply to organizations like yours.
Angela Bennett’s identity was erased and replaced with a new one – with a false criminal record.
This incident can happen to any of us today, as our identities are digitalized, and we use them to log into online services on the cloud. Identities provide access to resources on cloud or on-premise. As more organizations move their infrastructure to the cloud, Identity and Access Management solutions become significant. Employees also work from anywhere today and access company resources from the cloud. That calls for tightened access control governed by identities. An Identity and Access Management (IAM) solution secures digital identities; IAM is essential for the adoption of Zero Trust models in the enterprise.
What are Digital Identities?
It’s natural to think that identities are only for people. But in the digital world that we live in today, with personal and business assets increasingly digitalized, identities are available for applications, workloads, systems, and electronic devices.
A Digital Identity is a unique piece of information used to identify an individual, an organization, a device, a workload, or an app.
Let’s start with people. We have login credentials for accessing our email, bank accounts, the online newspapers we subscribe to, e-commerce sites we shop at, and the government services we use. There are credit card numbers with unique PINs and CVVs. Governments issue national identity numbers to citizens – social security numbers in the West or Aadhaar number if you are an Indian citizen. Tax authorities in India issue PAN IDs to individual tax payers and TAN numbers for corporations responsible for deducting tax at source (TDS). Entrepreneurs and organizations in India need to have GST numbers to conduct business.
For devices like smartphones, computers, and IoT devices, there are MAC and IP addresses. These connected devices need to be uniquely identified since they are used for sending and receiving information via the Internet.
Applications are interconnected via application program interfaces (APIs) and have unique identifiers.
Workloads have global task IDs, and session IDs. UUIDs or Universally Unique Identifiers are used for identifying information exchanged through global databases. These are also used for tracking information.
Identity and Access Management Challenges
An organisation’s IT infrastructure was once centralised with all resources in an on-premise data centre. There was “perimeter security” in the form of a firewall – security software or an appliance that inspected all data packets leaving and entering the enterprise network. The analogy is your building security checkpoint at the main gate. Security personnel question all visitors and call you from the intercom for permission to allow them to pass through and visit your home.
But as IT infrastructure moved to the cloud and employees started working from home and remote locations, the infrastructure became decentralised. With the availability of online services, employees bypassed the IT department and helped themselves to services on the cloud with a swipe of their credit cards. A resource for storage, for instance, is a service like Box or Dropbox. Bypassing the IT department for resource provisioning and a self-help approach is known as “shadow IT.”
Enterprises too started moving pieces of their IT infrastructure to the cloud, as the cloud offers benefits like cost savings, flexibility and scalability. To do this, they had to transform their business processes and IT infrastructure – or embrace Digital Transformation.
Digital Transformation in organizations was accelerated during the pandemic, as more employees began to work remotely. Customers started consuming services through apps. So we also witnessed consumers embracing digitalization. Food delivery apps with food ordered from “cloud kitchens” is a prominent example. Online shopping and OTT entertainment apps are other examples. People stayed at home during the pandemic and started consuming services from the cloud via apps.
To remain competitive, businesses had to embrace digitalization at a rapid pace and advance their digital transformation plans. It was either that or bankruptcy and losses.
With the proliferation and rapid adoption of cloud services, enterprise IT architecture and infrastructure became decentralized. Organizations now have their infrastructure spread across multiple clouds from different service providers: Microsoft Azure, Google Cloud Platform, Amazon Web Services and other alternative cloud providers such as Digital Ocean and Akamai/Linode. As resources were spread in multi-cloud and hybrid clouds (on-premise and cloud), identities were further distributed. We experienced “identity sprawl” which makes visibility and control of identities a huge challenge.
To compound this problem, employees started using their personal devices to access resources on the enterprise network. And as we know, the security on personal devices is not as robust as what you would find on a company-issued laptop or server behind a firewall.
With the advent of IoT and IP-enabled devices, thousands of devices were connected to corporate networks. And this compounded the problem. Remember, devices have identities too.
In the industry, people say the increase in devices and identities, especially from remote locations, “broadened the attack surface.” In plain terms, there were now more doorways to secure.
Let’s explain this using the real-world analogy of building security. Imagine what would happen in your society if there were more entry points to your society compound and not all of them were locked or manned by security personnel – or if there were no CCTV cameras.
The likelihood of a security breach increases manifold.
Why is it important to Secure Identities?
Bad actors and hackers observed the decentralisation of IT infrastructure and turned their attention to devices used by remote workers. We use the term “endpoint” to refer to these devices. These bad actors know very well that home networks and endpoints are unsecure. When was the last time you changed the password on your home router? Every security professional knows that home routers have default passwords that are known to hackers.
Employees who do not practice security hygiene are careless about clicking on malicious links in phishing emails. This very action throws open the gates to the corporate network, as the user endpoint is connected to the enterprise network via the internet. Hackers try to steal identities and credentials from end users. Credentials are your login details.
According to the BofA Global Research report, 80% of attacks originated through compromised credentials. Over 90% of all organizations have experienced a breach that stems from poor identity security.
The BofA report says Identity Security is now regarded as the “digital front door” to the network, spanning across users, devices, applications and infrastructure. Trends like Zero Trust and Cloud security increase the importance of Identity Security, and the use cases and capabilities evolve.
Identity and Access Management (IAM) solutions can secure digital identities. BofA expects the IAM market to grow about 13.1% CAGR between 2023-2026, with most public companies focused on the Employee Identity market and speciality vendors like CyberArk and BeyondTrust targeting the Privileged Account sub-segment.
