In spite of all the cybersecurity industry’s efforts, 2019 had more than its fair share of cybersecurity incidents — and many of them involved stolen credentials.
Identity and Access Management software (IAM) has been developed in an effort to mitigate these attacks. It includes a set of technologies designed to protect organizations and their resources while granting access to users on the principle of least privilege.
- At the beginning of last year, a massive cache of 773 million usernames and passwords was released on the internet — a cache that hackers almost certainly used to commit additional crimes.
- 21 million credentials associated with Fortune 500 companies — many of them breached within the last 12 months — are available for sale on the Dark Web.
- Credential stuffing attacks — in which pairs of stolen usernames and passwords are entered en masse into a website in hopes of generating a login — have seen a dramatic uptick, with Akamai recording 61 billion attempted attacks over 18 months.
What Are the Benefits of Identity and Access Management?
IAM may prevent credential stuffing attacks by fingerprinting user devices and deploying multi-factor authentication (MFA) to detect and reject login attempts from unrecognized platforms. IAM solutions also limit each user’s access to an extremely specific, limited number of applications and services once they’re logged in.
As a result, even if a malicious actor gets hold of valid credentials and can circumvent MFA, the attack surface will be strictly constrained by the IAM solution.
IAM is also an essential enabler of software-defined perimeters (SDP). SDP creates “virtual networks of one” in which software and other resources that the user is not authorized to access are invisible. IAM enables these networks by managing and enforcing the granular access management described above.
The increasing popularity of credential stuffing attacks is one reason, among many, that more companies are adopting IAM to protect themselves. IAM is evolving rapidly to meet the needs of more companies and be even more secure, integrated, and convenient to use.
What are some IAM trends to look out for in 2020?
Identity and Access Management as a Service
Administering access to a constellation of applications and files can be tricky and demanding. Although IAM has long since moved into the cloud (with even Microsoft’s venerable Active Directory software making the jump to Azure), the responsibility for granular maintenance of the application still lies with administrators.
With IAM as a Service (IAMaaS), many IAM functions are moved to the cloud and automated. Remote users can access their tools easily, without any hassle: They simply log in through the cloud using Single Sign-On (SSO) to gain access to all the resources and solutions they need with one secure login.
With IAMaaS, connecting to security and fraud protection systems is easy and automated, enabling applications and files to be more secure without much additional effort. In addition, automation tools will drastically reduce the number of clicks and manual processes admins will have to undertake in order to add and remove users or modify permissions.
Identity and Access Management for Microservices
Microservices have been taking the IT world by storm. Instead of a single monolithic application, developers use linked, containerized applets to perform functions that would have previously been accomplished by a single, integrated app. If one component fails, the entire application does not.
Instead, an automated system spins up a duplicate of the failed component, and users experience zero downtime.
From the perspective of traditional IAM, there’s a problem with this. The separate components of an application now communicate across a network, which means that it’s possible for an adversary to listen to or falsify these communications. Sometimes these services communicate across multiple data centers using the public internet, which makes encryption and security even more vital.
As such, IAM solutions are starting to be integrated with microservices. In one such solution, each communication between microservices also includes a unique token, which is validated upon receipt. The application performs the requested function only if it receives a valid token.
This imposes a small performance hit on the application but prevents bad actors from impersonating microservices or eavesdropping on your application.
In the physical world, users have many ways to authenticate their identities that do not require usernames or passwords. They may present a driver’s license, passport, social security card or other ID card.
In the past, credit card receipts that displayed the full account number made identity theft easy. Today, when individuals validate their identity using these items, no third party (except the issuing authority) maintains a copy, so there is less risk of it being stolen.
This is self-sovereign identity in a nutshell — the idea that even online, you should be able to authenticate yourself the same way that you prove your identity in person. You store your own personal identification data, and you don’t have to provide it to companies who will store it in databases and then lose it if they get hacked.
The problem with self-sovereign identity is that there’s been no universally agreed-upon medium through which to store one’s identity and validate it — until now, at any rate. Many proponents of self-sovereign identities now believe that the blockchain, an encrypted decentralized database of personal information, represents the perfect mechanism through which individuals can easily validate their identities online.
Incorporating the blockchain has the potential to revolutionize IAM to a huge extent. Depending on where you live, your usernames and passwords might be replaced by a government-issued digital identity. This is already happening in the city of Zug in Switzerland, and your town might be next.
As the world’s major companies and governments work to eliminate the concept of the password, you can expect huge changes in the way you will identify yourself online.
Expect the Unexpected
One thing about information security is that no matter how well we prepare, the outcomes tend to surprise us. As we face a new decade, the challenges that IAM addresses may turn out to be footnotes — or may change the way we operate online.
Only time will tell if the trends that we’re looking at now, in 2020 will truly influence the world of the coming 10 years.