Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

12/14/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Who Are You, Really? A Peek at the Future of Identity

Experts dive into the trends and challenges defining the identity space and predict how online identities will change in years to come.

Identity and identity management are top-of-mind for security leaders across industries. Which data is sufficient to prove people are who they claim to be? How can identifiers be protected? And what happens when a malicious actor gains access to the data that proves you are you?

"It is one of the hardest things in technology that we have to deal with," says Wendy Nather, director of advisory CISOs at Duo Security. The identity challenge is growing in size and complexity as businesses improve communications, technology, and data integration.

Twenty years ago, Nather explains, every business "sort of operated like its own island." Each had its own data center, and the types of data they'd send back and forth were very restricted. Now they've integrated more automation and transaction types between organizations.

A typical Fortune 500 company could, for example, connect with hundreds or thousands of third parties. Managing those connections, and limiting them to only those that are necessary, is one of the many issues driving complexity in the identity space. Add outsourcing and cloud services, and things get even more complicated for organizations.

"A number of functions now lay outside their control," Nather says. For third parties managing different clients, and businesses making sure third parties are doing the right thing with their permissions, it's a multifaceted challenge that will only grow as consumers jump into the mix.

Adds Ian Glazer, founder and president of IDPro: "We don't have an answer to the problem of identity for consumers throughout their lifecycle."

Identity Challenges: What's Top of Mind
Glazer points to the issue of identifiers: names, phone numbers, email addresses, and other data that make up our online identities. In a security breach, identifiers are spread to third parties who can use them to assume others' identities.

"One of the things that has been a problem for a long time, and will continue, is the relationship between people and their digital identity," Glazer says.

It's an issue we'll have to worry about in our increasingly connected society: How well do people protect the link between themselves and the data that identifies them? When we're proving our identity to online services, how do they know we're the person we claim to be?

Ideally, each of us would have our own immutable online identity to denote who we are. But the biggest problem for businesses, says Nather, is that identities evolve.

"Businesses are made up of people, and people change all the time," she adds. Identities shift when companies are acquired, when partners change, and when people leave the organization. "We don't have a good way of making trustworthy and trackable changes," she points out.

This prompts a question of how to make a trackable chain of identity ownership. Blockchain typically comes up here, Nather says, but there are problems. Blockchain is hard to correct, for starters, and humans make mistakes. She doesn't think the answer is in technology alone, but rather a mix of technology and process and a trusted group to supervise identity changes.

The identity issue will continue to grow as breaches expose more of the information people use to identify themselves online. Account takeover is "huge," says WhiteHat Security founder Jeremiah Grossman, alluding to the myriad ways in which attackers leverage the identities they steal and purchase online. "Your online persona, your identity, your accounts ... that's you."

Yet identity is more than a user ID, notes Brunswick CISO Alan Mitchell. Employees' identities tie into the system – what the system is accessing, applications people use on a regular basis – and all of those things tie into, and make up, a complex identity that could be a target for compromise.

"As we become more reliant on the Web, the attractiveness of account takeover goes way, way up," Grossman says. "Not just for the high net-worth people, but the people that surround them."

The Problems With Solutions
Think about how you interact in the real world: You get introduced, first interactions are formal, and over time you recognize people by their looks, voice, etc. "One of the paths we should be on as an industry is moving from authentication to recognition," IDPro's Glazer says. "Online, we constantly reintroduce ourselves every time. What we don't do is recognition ... and that gives the attackers the advantage."

We need to move toward a world in which machines recognize us by the way we interact with them, he continues, but the problem is this requires participatory surveillance. People have to volunteer personal and behavioral information (fingerprint, typing cadence) so devices will recognize them. On top of that, we don't have a common language to explain to consumers and employees how this recognition works and why it's necessary.

"If you want the individual to be an active participant in the process, it's incumbent they understand what the process is," he says. It's also incumbent on businesses to use the information appropriately and for its intended purposes.

When Duo Security's Nather thinks about the future of identity in a business-to-business context, she says trusted intermediaries will surface to handle the exchange of identity data between parties. If several companies in one industry have trusted intermediaries specific to that sector, they will be more likely to use that organization to handle identities among companies in the space.

(Image: Fgnopporn - stock.adobe.com)

(Image: Fgnopporn stock.adobe.com)

She points to retail as an example. Most stores have to identify customers, which is easier to do via trusted intermediates – for instance, payment processors – rather than identifying individual customers themselves. Retailers can use payment processors to facilitate payments, and Nather anticipates we'll see greater consolidation of payment processing. Chances are, because the intermediary's specialty is identity management, it'll have stronger security.

There are implications for centralizing trust and identity, she continues, and one key issue is availability of data. Centralized data is less available; if a business relies on five different identities, there's a greater chance something will go wrong. A second problem is privacy.

"We don't tend to place our trust quickly and easily, especially when it comes to payments or aspects of identity that are very personal," Nather explains. Even when an intermediary seems to be trustworthy, trying to verify whether it can be trusted will be a separate question.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UdyRegan
50%
50%
UdyRegan,
User Rank: Apprentice
1/14/2019 | 9:32:03 PM
Social media usage
With an increasing population of online users who are active on social media, it is actually not surprising to learn that online identities could actually change over time. The level of anonymity that is high on the digital platform makes it even easier for online users to create a different persona of themselves for others to see. It is incredible what people are capable of exposing and withholding about themselves when they know that they are somehow protected by this anonymity screen online.
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
1/8/2019 | 2:01:13 AM
You get what you Pay for
At the end of the day, I think that a lot of businesses only trust what they have spent their money on. If you are willing and able to pay the price, at least you have someone else to blame if anything screws up right? That's the service you pay for!
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.