Identity Management will be at the epicenter of digital transformation over the next few years. The methodical growth of the IT landscape of organizations and the increase in the number of identifiers and their attributes creates problems in access control. Therefore, the architecture of IdM solutions must become more flexible and adaptable to ensure the confidentiality and integrity of data, as in the current IT infrastructure, and, most importantly, to preserve these values when scaling.
Do you want digital? - Identify yourself!
Identification is the basis that is used in all areas of our life, be it politics, medicine, education, industrial or financial activities. Almost all areas of human activity are now, to one degree or another, going digital. And in the digital world, identification is the cornerstone of any interaction. In any relationship, it is necessary to determine who or what you are, what is known about you, how you relate to other objects, what you are allowed to do in a particular environment.
The digital world is made up of objects, logical or physical. Objects can be employees, clients, applications, devices, etc. Each object must have an identifier in which certain parameters of this object are fixed. An identifier can be simple or very complex, depending on how and by whom it is used. But for communication and recognition of this identifier in connected processes, it must be unique.
Identities are often verified by a third party. For example, in order to confirm his identity in any organization, a person introduces himself and then presents a passport, birth certificate or other document, thereby authenticating his data (confirming them). After going through the identification and authentication procedure, a person receives certain privileges or permissions that he needed.
Identity Management (IdM) solutions address such issues on a global scale. As part of identification and authentication, they define an object by looking at many attributes: ID, password, digital certificate, fingerprint, additional access code, etc. As part of authorization, they consider roles, rights, individual attributes, on the basis of which a decision is made what a particular object is allowed to do in a certain environment and what is not. More advanced Identity Governance and Administration (IGA) solutions combine credential management and rights management with administration that takes into account company policies for separation of duties and critical mix of powers, as well as role management, logging, analytics, and reporting.
To support all these processes, a variety of programs, technologies and services are used, which should provide an easy and prompt search for information in huge data storages, be able to compare this data, identify discrepancies, issue permissions or reject high-risk transactions. In other words, provide a secure and secure environment for communication.
In the development of access control systems in recent years, a major breakthrough has been noted. It is worth noting, for example, the inclusion of MFA (Multi-Factor Authentication) and SSO (Single Sign-On) technologies in IdM / IGA solutions. This combination allows for the creation of a secure and efficient environment for identity, authentication and access management, and therefore will be in demand in the future.
But we are all constantly developing and striving to enter the world of new digital technologies: develop new products, offer new services, be on the wave of innovations. Given the pace of business development that we see now, when identification data is everywhere and has long gone beyond individual applications, systems, organizations and are in the global Internet space, there are constantly risks of data loss, theft or compromise. It is necessary to discover more and more new approaches to data management and access to it in order to feel secure in the 21st century.
Consider the key development trends that will stimulate the development of information technology, and in particular access control technologies in the near future.
Internet of things (IoT)
Almost everything in the physical world can be labeled, from pens and light bulbs to airplanes and spaceships. All items can be equipped with sensors that will monitor their condition and analyze the collected data on their own, or transfer them to third-party software for further analysis.
MAYA BBG President Mickey McManus explains in his book Trillions that we are rapidly approaching a world with trillions of nodes connected to a global network that must communicate with each other. This situation creates great difficulties in maintaining the security and confidentiality of data. [1]
The infrastructure to maintain this scale should include new facility registration capabilities, security policies, governance model, revision rules, audit mechanisms, and historical data storage. In addition to identifying and managing connected devices, it is necessary to understand the client connected to the network.
The future of IoT bundled access control systems is contextual data recognition, advanced filtering, artificial intelligence, and behavioral analytics. The main goal for devices connected to the IoT is to use the received data, for example, for any research, analysis or to predict future behavior, etc. This symbiosis can be used in the retail field to conduct marketing research and predict future sales. Or in industry to monitor the status of equipment and make a decision on its modernization, etc.
Therefore, the systems that create such an infrastructure must constantly evolve in order to ensure the possibility of safe interaction between objects, environments, devices and provide the necessary level of access to them for collecting and analyzing data and providing the required level of service.
Big data, context analysis and artificial intelligence
The Internet of Things, complex analytical and predictive systems strive to obtain as much user or device data as possible. This process is constantly progressing. Big data is analyzed and later can be used to understand future development trends, to identify abnormal behavior, to protect assets, etc. The more information can be obtained and used, the more likely abnormal behavior can be distinguished from normal behavior. Contextual data, that is, more detailed, more accurate, may include, in addition to identification information, data on location, behavior, preferences, temporal or role characteristics, and much more.
We all have come across the fact that, by going to the Internet on certain pages in search of the information we need, after a while we receive, as advertising, links to exactly those products that we were interested in some time ago. Or navigation systems, periodically tracking our location, immediately offer us a built route from home to work. Contextual data can be used in all areas of our lives: in the financial, medical, high-tech and industrial sectors. Sources of this data can be Internet - social networks, blogs, forums, and readings of devices and sensors - meteorological data, cellular data, and corporate sources - transaction data, databases and others.
But in the process of collecting and processing data, a clear boundary must be drawn between the benefits obtained from data analysis and the damage if the data is used for malicious purposes. For example, nowadays a very fashionable and useful trend is the use of children's watches to track the location. Every parent wants to know where his child is and to be able to protect his child from possible troubles. But the same data can get to attackers who can harm the child. Or, transaction data from financial companies can be used both for analytical research to predict future demand and increase customer focus, and for committing fraudulent actions if they fall into the hands of an attacker.
Therefore, modern systems that manage identity and access based on context must be focused on a high level of security when working with data and to prevent possible risks.
Since contextual data can be presented in an unstructured form, artificial intelligence and machine learning come to the rescue. Many modern solutions, for example, advanced DLP systems, already include functions for detecting abnormal behavior. Future access control systems must also be equipped with capabilities for both anomaly detection and predictive future behavior and statistical modeling. This will allow you to manage access proactively, which is important to protect your assets and maintain confidentiality.
Privileged Account Management (PAM)
Any company using information systems creates accounts to support these systems, including in critical situations. For example, financial companies create accounts with unrestricted access to administer databases or to use in emergency situations in order to prevent system shutdowns in time. Or accounts with full access to confidential information for security teams. Naturally, the owners of these accounts - system administrators, senior management, security personnel - become potentially dangerous. Such rights give them the opportunity, in addition to legal access to limited information for official use, to obtain the opportunity to carry out unauthorized actions and operations, up to the complete disabling of the company's systems.
Everyone is aware of the occasional cases with the appearance in the global network of confidential data of clients of various Russian banks, including companies included in the TOP-10. In addition to malicious behavior, administrators can make random errors that can lead to disruptions, which can also be costly for the company. According to statistics, the most serious security incidents occur with the use of privileged accounts. Often, accounts with privileged rights are ownerless: several employees can use the same account, and it is not assigned to a specific employee.
All this suggests that it is necessary to keep privileged access under special control, effective control and constant monitoring of the use of elevated privileges is necessary.
Therefore, modern access rights management solutions have begun to integrate with privileged access management (PAM) functions. It is a set of technologies that enable organizations to identify, protect, and control elevated accounts to minimize risks of loss and enforce security policies. Privileged access should be personalized and provided only when clearly needed, promptly revoked upon completion of a task, and specifically monitored throughout the lifecycle. Multilevel authentication, video and text recording of administrator sessions, a separate process for creating and accounting for privileged identifiers are the main tools for working with privileged access, which will be intensively developed in the coming years.
Blockchain
The technology that previously appeared and was used to support cryptocurrency is now firmly included in our lives, and its use will soon spread to many industries and areas of human activity. The key feature of blockchain technology is the decentralization of the system. With regard to information security, this means that it is impossible to hack a separate server on which data is stored, since it simply does not exist.
This technology can be in demand in the financial sector, in the medical industry, in the branches of government - where the safe storage and transfer of documents or funds and confirmation of the identity of people or assets is required. With the help of blockchain technology, a user can store a lot of his data in a secure distributed storage and decide who can access his information and in what situations. Many countries are already actively using this technology, for example, in the public administration or medicine, where all data about citizens, including medical information, is stored in a single distributed registry and can only be used by authorized persons.
For cybercriminals who are trying to penetrate the internal circuit of the company's information resources, user credentials are a tasty catch, especially if they have extended rights to access information resources. If such data is stored on a central server, then there is a risk of hacking and theft of credentials. With the use of blockchain technology, the function of a centralized entity disappears. By eliminating the "central custodian" of these credentials and replacing them with public and private keychains for logging in, we can still use the former centralized entity to authenticate and successfully identify who logs in. At the same time, there will no longer be a centralized storage of credentials that hackers can easily obtain and use to harm.
For example, while working to create this kind of solutions, the American company REMME has developed a blockchain-based public key infrastructure (PKI) for secure data exchange between browsers and servers. The solution is built on a proven public key infrastructure model hosted on the web of trust in the form of its own blockchain. It stores a hash of the public key and a record of its current state, whether valid or revoked. Whereas private keys are stored on devices such as the user's computer or mobile device. This technology replaces the authorization trust model with a computation trust model. This eliminates the need for organizations to trust a CA that is common to traditional PKI solutions.
In Russia, many industries are already using or testing blockchain-based technology for implementation in the fields of energy, government, finance and medicine. For obvious reasons, not everyone is open about this. But we can safely say that blockchain is one of the important inventions and the use of this technology for personal identification and data transfer will only grow.
Cloud technologies
Every year more and more applications, databases, computing power are moving to the clouds. And of course, cloud computing has its advantages. This means a reduction in infrastructure costs, and a high level of service from experienced providers, and a high level of availability of this service.Naturally, like any technology, cloud solutions have drawbacks. Not all companies are ready to transfer their data to the cloud for security reasons. To work in the cloud, you need a constant internet connection, which depends on third parties and can be unstable. In addition, there are still no full-fledged standards and clear legal regulation in this area.
Nevertheless, according to analysts, the spread of cloud technologies will only grow. And this is due to the fact that the service-oriented model of obtaining the necessary services shows itself as more convenient, optimal and promising in all areas of business activity.
The ubiquitous Internet, the proliferation of IoT and mobile devices, and an expanding consumer base are driving the movement and access control technologies to cloud solutions. Even if the company is not yet ready to completely switch to access control through the cloud, some data will still come from there, as the need for integration with external sources is growing for the full-fledged business. This can be data from contractors, suppliers, customers and various trading partners.
Naturally, when using cloud technologies, first of all, the security of both the cloud itself and the solutions integrated with them - the same control systems for access to information resources - should be ensured.
Transformation option: The existing mature IGA solution and its functionality are gradually being transferred to the cloud technology to facilitate its use by customers. In this case, difficulties in transferring the architecture to the cloud inevitably arise, since stationary technologies, during their initial development, were not designed for this. This means that a global revision of the solution will be required, and in some cases even the development of new modules from the very beginning. Agree - it is difficult and there are too many restrictions.
Another option is the “birth” of the solution right away in the cloud, starting with the simplest modules for identification and authentication and then gradually increasing more complex modules for managing rights and implementing common policies for the distribution of ethical rights and control over them. But you need to understand that the level of maturity of such a solution will initially be quite low, and it will take quite a long time for its development and scaling into a complex solution that covers all the needs of customers.
Of course, over time, both of these options will develop, and the difference between them should be leveled. But in the near future, hybrid solutions will be in demand, especially for large enterprises, where it is required to combine some functions in a stationary mode to work with internal resources, and implement some functions in a cloud structure to work with an external environment ...
Conclusion
We live in an era of progress, which means that excellence can be achieved only through compatibility, that is, the joint use of new advanced technologies. This naturally gives rise to new problems and threats to security, and, consequently, the relevance of the development of means of protection. In this regard, approaches to solving problems of authentication and authorization should be significantly modernized. With the advent of new technologies, new opportunities should appear to protect data and resources and ensure a secure level of access to them. But do not forget that the starting point for modernization and scaling of access control systems should be the emergence of new technological processes for proper organization and management. This is the foundation without which the future development of Identity Management is impossible.Author: Lyudmila Sevastyanova, Solar inRights Promotion Manager, Rostelecom-Solar
securitylab.ru
