Identity eats security: How identity management is driving security

New intelligent identity management systems are changing the way organizations authenticate users and devices, and they’re making identity the new security perimeter.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Protecting data and assets starts with the ability to identify with an acceptable level of certainty the people and devices requesting access to systems. Traditionally, identity has been established using a “secret handshake” (user ID and password) that gets the person or device through a gateway with access to permitted systems. Once through, few safeguards are in place to further confirm identity.

Now, organizations are starting to take a wider, more complex view of identity to authenticate and authorize people and devices to provide a much more reliable, context-based confirmation of identity than a user ID and password can. “We need to take identity from its current state of managing groups, resources and networks in a fairly static way, to a more real-time view of access control through intelligence and machine learning,” says Andre Durand, CEO of Ping Identity.

That approach requires a more comprehensive look at other factors that determine identity, specifically behavior and environmental attributes. Understand everything you can about the customers, employees, and devices connecting to your systems, and you can build a unique profile for each one that would be extremely difficult for a hacker to copy.

Changing the way enterprises use identity to authenticate and authorize is also driving structural changes within the organization. The people who are responsible for identity have typically not been associated with security. That’s changing as security focuses more on identity as a front-line defensive concept, and it’s having a profound effect on both groups.

“Security absorbed identity, but identity is eating security,” says Durand. As organizations build security strategies that start with strong authentication, identity becomes the new perimeter.

Why identity management is changing

User IDs and passwords are now pointless. They can be easily hacked or bought. That’s why most enterprises with high-value data to protect have gone to at least two-factor authentication (2FA). Even 2FA is becoming less secure as tokens or smartphones can be compromised or stolen.

Not only are passwords ineffective, they annoy people. Consumer-facing businesses want to remove friction from customer interactions, and organizations want to do the same for their employees. Passwords generate a lot of friction.

The trend toward digitalizing business is also increasing demand for better identity management and strong authentication. “Digitalization is driving a lot of customer journeys that didn’t exist before,” says Jatin Maniar, vice president marketing and alliances for passwordless, universal authentication vendor Nok Nok Labs. Those journeys often force developers to make trade-offs between security and convenience. “Better user experience and security underpinnings lead to increased engagement and improved risk posture,” he says.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.