By Lalit Ahluwalia, CEO and global
cybersecurity head, Inspira Enterprise
When we talk about identity in terms of
cybersecurity, what are we really talking about? It's amalgamation of digital
identities - things like usernames and passwords - that are used to
authenticate users and grant access. It's not that different from physical
identity - like your driver's license, social security number or work badge
that is assigned to you as an individual. This identity authorizes you and
gives certain access to where you can go and what you can do - whether it's traveling
abroad, purchasing alcohol at a bar, or filing your taxes. Access is given based on the
permissions you achieve.
The
same concept applies to the digital world. Each individual user is granted an identity, and that
identity is given privilege to access certain areas of your ecosystem. It's how
you ensure the right people have access to the right things - and vice versa.
Seems
simple - so what's the catch?
It can be tempting to think that identity
is simple to define, but there's a caveat between the physical and virtual
worlds. In the physical world, an individual is born with one true identity,
and that's the identity that is carried with them in all aspects of their life,
making establishing access simple. In the virtual world, people have hundreds
of identities - every single online account someone is associated with counts -
whether it's a Netflix subscription, your social media handle, an Amazon ID, a
bank ID; the list is seemingly endless.
The problem statement becomes: How can
organizations verify and keep up with these near-infinite digital identities? The first line of defense became identity management
or access management in a corporate setting. This establishes who has network
access and what kind of access they have. But identity management and access
isn't just a corporate problem - it's much bigger than that.
The proliferation of online accounts and
exposure has given threat actors countless points of access to attempt to steal
someone's online identity. How hard is it to do this? Consider that individuals
typically have 50+ accounts across the web. Are there going to be 50 different
passwords? That'll either be a nightmare for people to manage, or they will
fall back to one password for perhaps 10 applications each. The moral of the
story is that it is incredibly easy to steal passwords, given the amount of
exposure each individual has in the digital world - and this can create a hole
in the corporate network where that individual works.
Proposing a solution: A global trust
framework
In the physical world, what would happen
if individuals had to carry 50 different driver licenses for each state or a
different passport for each country they wanted to visit? That would be
madness. Yet that's exactly what's happening in the digital world today. And
it's not rocket science to understand why. Using most solutions offered today
is like using the best wallet to keep your 50 identification cards secure. The
issue isn't which wallet to use or how to carry it; the issue is that you have
50 IDs.
The
alternative is to have one ID that is properly secured and can be used globally. This level of simplicity requires
a global trust framework. The password system needs to be a trust framework
system, similar to a passport. A new passport isn't needed for every country
visited; it is part of a global trust network. This is the concept that needs
to be established to simplify the landscape.
That's the real problem statement with
identity security. It's less about establishing the access points and more
about dealing with the multitude of identities each individual carries and the
risk that this entails.
Three steps to begin the process
Obviously, creating a global trust
framework that has federal backing is going to be an extremely large undertaking
and is years from coming to fruition. That said, there are steps organizations
can take to create this environment within their own ecosystems.
- Create an internal
corporate passport that requires strong, multi-faceted authentication and use
those points of identification to grant access to your corporate network. Too many organizations have separate accounts, IDs
and credentials for their various systems and applications. These end up being
points that are vulnerable to threat actors. By setting up an identity system
internally, access can be controlled more easily.
- Implement more than simple multi-factor authentication (MFA)
with SMS verification. For a
corporate-wide ID system to work, it needs heavy defenses. Aside from creating
strong passwords, other verification methods must be in place. SMS alone can
still be thwarted by threat actors - so including things such as biometrics is
key.
- Overall, simplify the identity access and governance
surrounding the identity, defend it well with the proper authentication
methods, and define the business outcomes you're looking to achieve - for
instance, seamless and secure access that truly can enable meaningful business
without introducing threats like ransomware and fraud.
Toward stronger, safer identities
Identity security is shifting with the
constantly emerging threat landscape. There have been too many stories about
criminals using stolen passwords from employees' personal apps to breach their
companies' networks. Until a global trust network can be established,
organizations can use the three steps outlined above to create global corporate
identities that will help strengthen their overall security posture. This will
also more seamlessly help move the organization toward its business goals.
##
ABOUT THE AUTHOR
Lalit Ahluwalia is the
CEO and global cybersecurity head for Inspira Enterprise. He is a cybersecurity
executive and strong IT leader with a professional track record of successfully
establishing cybersecurity programs and helping his clients be secure in the
face of a constantly evolving cyber threat landscape. He has led the North
America Security practice for Accenture, Global Cybersecurity practice at
Wipro, and diverse portfolio of security initiatives for Deloitte and PwC.