As we enter a new decade, it’s interesting to see how far we’ve come over the past 10 years in terms of access and identity management. When the 2010s began, only 38 per cent of data breaches used stolen credentials; by 2017, this figure was 81 per cent. As the pace of digitization has increased, identity and access assurance has become a critical issue and the single most important control for managing digital risk.
From an eBay database being stolen using employee credentials in 2014, to passwords from high profile breaches of companies including Google, Yahoo and Hotmail all ending up for sale on the Dark Web; identity has been at the heart of some of the major security incidents in the past decade.
Jim Ducharme, VP of Identity and Fraud & Risk Intelligence Products at RSA Security.
As we have become more reliant on digital interactions that rely on identities, new and unprecedented security challenges have been raised. We need to be able to trust the device, the networks and the user; even though we can often no longer see who or what that is. Identity has become a crucial weakness that hackers are exploiting. But with the increased focus on identity, there’s also an opportunity for organisations to strike a better balance between endpoint security, innovation and an employee’s authentication experience.
We’ve already seen a huge rise in identity theft, with credentials for sale and thousands and passwords used to maliciously attack companies, but the next decade will see an evolution of identity security, with secure but user-friendly identity strategies on the horizon. From making use of new technologies, including those embedded in today’s smartphones, to eliminating the dreaded password altogether, we can expect the next ten years to transform the way identity impacts the corporate and hacker worlds in several key ways:
1. Credential theft becomes credential hijacking
We continue to see the same security trend echoed year after year – compromised credentials are the number one attack vector for malicious actors; the market for stolen corporate credentials has become a booming business for cyber criminals over the past decade. Looking ahead, however, we can expect hackers to begin to shift their attacks from simply using stolen credentials that are available on the dark web, to infiltrating password recovery mechanisms in order to harvest and then reset user credentials themselves. In other words, attackers will successfully take over user identities and re-establish them with new usernames and passwords, thereby gaining access to critical assets at organisations.
As the attack surface shifts from away from simply attempting logins with stolen credentials, the stakes will become much higher and will require a new security approach focused on employee monitoring to prove a user is who they say they are – even if they’ve logged in seemingly legitimately.
2. ‘Passwordless’ authentication is on the horizon, but we need to prepare for the consequences
As organisations continue to look for ways to protect users while making security as seamless and invisible as possible, we’ll see a huge increase in those adopting ‘passwordless’ security innovations. But while it’s becoming quite common to leverage face or fingerprint ID, today most passwordless authentication is still rooted and reliant on password management and usernames for account enrollment and recovery. Because of this, they are really “less passwords” rather than truly “passwordless”. As the journey towards true passwordless authentication continues, organisations will also need to think about the varying user needs across their organizations considering the dynamics at play. For example, as with any IT change, there’s likely to be an initial and evolving burden on help desk support; users who are not required to use a password day-to-day are almost certain to forget and disregard credentials at a higher rate, thereby requiring more support than they did before.
3. Authentication will need a personal touch
As we move towards the passwordless world, organisations are today facing a plethora of choice when it comes to their authentication strategies. With constant innovation and evolution in technology, there are now many more ways than ever users can verify who they say they are and access resources; from push notifications, to behaviours, to one-time passwords, biometrics, hardware tokens and more. This can make it difficult for organisations to choose the appropriate authentication strategy. One thing is for sure: there won’t be a one-size-fits-all solution for the varying identity and access management needs across different organisations with dynamic workforces. What we can expect to see is organisations making much more personalised decisions on authentication, so they can strike their own balance between security and user experience.
4. Get ready for the rise of the machines
It’s not just employees that will present new identity challenges in the next decade – we’ll continue to interact with devices in new ways. It’s only a matter of time until smart home devices like Alexa, Siri, Google Home, smart lightbulbs and access devices like smart door locks will begin to transition from purely consumer devices to being leveraged in business and corporate settings. As these automation technologies aid us with more and more complex tasks, the need for these devices to understand who can command them and who they are acting on the behalf of will become much more critical. So, as we use tech-enabled personal assistance for more critical parts of our lives and businesses, it certainly will matter who ‘Siri’ and other devices take orders from.
Welcome to 2020!
As the next decade brings new technology, opportunities and challenges, identity will take front-and-centre priority in the cybersecurity conversation. With attackers developing smarter ways to compromise credentials and as automated devices become more widespread in our corporate worlds, identity will become both a key battleground and an opportunity. The blurring lines between corporate and consumer technology means any identity strategy needs to be both secure and convenient. Success will be all about striking the right balance.