Changing Concepts of Identity Underscore 'Perfect Storm' of Cyber-Risk

Security teams are facing "the perfect storm" these days, with four seemingly major contributing factors at play: AI and generative AI; geopolitical dynamics; changing regulatory compliance requirements; and, notably, continuing growth in ransomware. They all lead to a very complex threat scenario that requires significant effort from cybersecurity professionals to protect their enterprises. At the heart of these next-gen cyber defenses lies the core concept of identity — and unfortunately, what identity actually entails is significantly shifting.

That's according to Alberto Yépez, managing director at Forgepoint Capital, who laid out the perfect-storm warning at one of today's Dark Reading Virtual Event keynote sessions focusing on "Game-Changing Cybersecurity Technologies."

Yépez noted that, for instance, security teams can't combat ransomware through one solution alone. Ultimately, the goal a threat actor has in using ransomware is to access sensitive, valuable data located in someone's network, and they do that by attacking a core networking principle that affects many different systems. "They want to try to compromise your identity," says Yépez, because that's the entry into the rest of the kingdom.

"The moment [threat actors] get in, they try to exploit vulnerabilities in your network. They go and search for known vulnerabilities either in your own personal device or in your servers or network," he said. "They stay in your network and try to understand what information becomes critical for them so that they can benefit the most."

Developing Next-Gen Identity Protection Solutions

When it comes to the identity technologies that companies use to protect themselves, Yépez argued that they aren't fully serving us anymore. Users need to be vigilant about protecting their credentials if they want to protect their personal identifiable information (PII), but the key to addressing these problems goes beyond just developing new identity management solutions and practices. We also need to change our perspective of what identity is and what it is becoming.

As Yépez noted, "Identity is not just us."

He explained, "We ourselves have multiple personas. Every time we have an account, or an ID that we set up in our system or a banking system [it's a new ID] — we have so many different identity and digital personas." He added that "even software has an identity," with its own sets of credentials that need to be safeguarded.

"Don't just limit yourself to [thinking] that identity is just the individual or multiple digital personas," Yépez said, explaining that in addition to software instances, mobile applications have their own identities, as do various infrastructure parts, browsers, routers, cloud buckets, and everything in between. If these are all aspects of a company's multifaceted identity footprint, then every aspect of it needs to be managed and to be protected from threat actors.

This, of course, makes it even more difficult to protect organizations from threats, but thinking about identity through this perspective broadens security teams' collective perception of the threat landscape. In the era of "multiple digital personas," security teams have to consider all the moving parts that require attention — especially with the aforementioned perfect storm always on the horizon, in the form of the latest technologies and the threats that accompany them.

As Yépez says, "At the end of the day, once those credentials get compromised," all bets are off in terms of data protection.