Identity Management Institute has introduced and defined the term Digital Identity Transformation (DIT) as the “holistic assessment and improvement of business processes, people, and technologies to achieve excellence in identity
With the number of IoT connected devices projected to grow from 7.6 billion to 24.1 billion, with revenue more than tripling from USD465 billion to over USD1.5 trillion between 2019 and 2030, there’s a growing need for managing IAM challenges in the modern IoT landscape to secure systems. Users now interact with internet of things (IoT) devices in every area of life, and each point of connectivity presents another challenge for cybersecurity professionals. To implement appropriate security measures, it’s necessary to examine the various aspects of the current digital landscape.
Smart Home Security Challenges
The number of smart homes in North America will grow to 73 million by 2021, suggesting a continuing shift toward reliance on digital technology and automation for daily task management. A smarter home, however, doesn’t automatically mean smarter security. Millions of devices collect data every day, including information about personal habits and routines, which could give hackers all they need to appropriate users’ identities.
Each device in a home is a possible entry point for an attack, yet many devices fail to offer appropriate security. The innocuous nature of small devices, such as wireless doorbells and garage door openers, makes them prime targets for enterprising cybercriminals, and devices controlled via apps and computer interfaces are similarly vulnerable. In 2017, the average IoT device was attacked once every two minutes during times of peak activity, suggesting hackers are taking active approach to infiltrate smart homes and obtain login credentials and personal information.
Securing Smart Buildings
Smart technologies are bridging the gaps between critical systems in public buildings. Managed separately in the past, services like HVAC, power and physical access control can now be handled through a single building automation system (BAS). As of early 2019, 35,000 such systems were already connected to public internet around the world, giving rise to new security concerns.
Although a BAS can provide numerous benefits for building managers, the data collected by these systems can also be leveraged to launch attacks. Tools like Shodan, dubbed “Google for the internet of things,” can point hackers to vulnerabilities in smart building systems, allowing for the introduction of malware or the complete takeover of essential functions. Hackers with access to smart buildings have the power to cut off utilities or hold the entire system for ransom. Because institutions like health care facilities may rely on smart systems to manage infrastructure, such a takeover could be devastating.
Cybersecurity in Smart Cities
The concept of a smart city is no longer as futuristic as it once seemed. Many people already spend their days surrounded by sensors and IoT devices in public places, and an estimated 70% of the global population will live in connected cities by 2050.
Smart homes and buildings are just part of the equation. Smart traffic lights, street lights, gunshot sensors and even waste management devices are in use around the world, and many of the cars traveling city streets also contain connected sensors or devices. While this growing web of connectivity has great potential to improve safety and efficiency, it also introduces an extensive new threat landscape. The potential for compromise exists in all smart city devices and systems, which could allow hackers to cripple essential emergency services or shut down entire city sectors.
To further complicate security, smart city devices have much longer life cycles than other smart devices and require ongoing management to ensure they remain up to date. An attack on a single vulnerable device could lead to the compromise of the entire system and put the city’s population at risk.
Where Does Identity Management Come In?
Every interaction within a smart home, building or city environment requires authentication to confirm the identity of the person or device initiating the request. The security of such systems is tied to these digital identities, which means identity and access management (IAM) must be an integral part of all devices and networks to minimize the risk of attack. Stolen credentials can not only compromise the devices or systems to which they allow access but also allow hackers to obtain data from apparently unrelated areas of the network.
Moving toward unified digital identities will support seamless interactions with smart home, building and city devices by allowing users to digitize important identity information, such as driver’s licenses and bank account numbers. However, until such unification is achieved, multiple forms of authentication are required for secure network access, particularly remote requests. Producers and providers of smart devices and services will need to shift focus to developing stronger, more reliable security measures to support the growing reliance on IoT in all areas of society.
As IoT adoption continues to increase, cybersecurity professionals must prepare to meet the challenge of protecting wide networks of devices and the data they collect. Threat awareness and prevention are critical focus areas, and digital identity holds the key to managing the numerous interactions necessary for the success of these complex systems.
Since 63% of confirmed data breaches can be linked to weak, default or stolen passwords, the time has come for businesses to seek more reliable authentication methods. The increasing complexity of the cybersecurity landscape has rendered traditional passwords all but useless, and a nuanced approach to access management is necessary to protect against emerging threats.
Confirming Identity with Context
Contextual authentication takes users’ habits into account when determining whether to grant or deny access. It’s rare for users to deviate from their routines, so behavior patterns tend to be predictable. These patterns provide the context in which it’s “safe” for the system to authorize login attempts. Hackers using stolen credentials will find it difficult to replicate the exact circumstances under which users access their accounts, and contextual authentication enables flagging of unusual behaviors.
High numbers of false positives may be returned with this authentication method if contextual details are lacking. The system can “learn” new patterns over time, but providing comprehensive user profiles during implementation prevents the IT department from being swamped with alerts. When given enough information, contextual authentication monitors users’ sessions in the background and prompts for additional authenticating factors only when deviant behavioral or circumstantial factors are detected.
Adapting with Risk Evaluation
Evaluating risk levels is a key component of contextual authentication and can be invaluable in network environments where different degrees of security are required in common workflows. By taking into account the likelihood a system will be compromised, this authentication method is able to grant access based on the risk involved in specific situations. Circumstances are evaluated and given risk “scores,” which the system uses to determine whether additional credentials are required before allowing users to proceed.
The dynamic nature of a risk-based authentication model makes it possible for systems to adapt to context, evaluate individual access requests and respond appropriately. Businesses can integrate other authentication methods, such as biometrics or one-time passwords (OTPs), to provide extra layers of security. A properly configured system handles the majority of potential threats on its own and doesn’t alert the IT department unless it encounters a serious breach attempt requiring human intervention.
Pinpointing Users with Geolocation
Geolocation provides a significant amount of information about the owner of a device, which can serve as confirmation of identity to authorize a transaction. Businesses may use geolocation to prevent hackers from making purchases using stolen credentials by comparing a user’s delivery address to his or her physical location when placing an order. Geolocation can also detect significant deviations from a user’s normal login location or determine if an authenticating device is in the same location as the individual requesting system access.
The use of geolocation allows for granular access control in organizations handling highly sensitive information. A business may, for example, restrict its employees from logging onto the network only from within specific office locations. This ensures information is never shared over connections business can’t monitor, such as unsecured public Wi-Fi. Access rules may be adjusted to include other areas when employees are traveling or businesses expand into additional locations.
Geolocation isn’t infallible. It requires a strong cellular signal or Wi-Fi connection to work as intended and is no longer a viable authentication method if a device is stolen along with a user’s access credentials or a customer’s credit cards. However, it can provide valuable information when used as part of a broader contextual authentication strategy.
Authenticating with Apps
Equipping users’ devices with authentication apps eliminates the risks of using text messages for two-factor authentication (2FA) and mutli-factor authentication (MFA). Text messages can be hijacked with a SIM attack, in which a hacker diverts a user’s cell phone number to his or her own SIM card. All information meant for the user is then received by the hacker, including authentication codes, PINs and OTPs sent via text messages.
Authentication apps link to users’ accounts and provide unique codes whenever a change in context is detected, such as a login from a new device or an access request made from a remote location. Because the apps operate independently of Wi-Fi and cellular connections, the time-sensitive codes are always available for use.
When hackers attempt to gain account access with stolen credentials, they’re prompted to enter a code from the app. Without the associated device, the login attempt fails. Some apps allow for additional protections, such as PINs or passwords, to prevent hackers from obtaining codes on stolen devices.
These authentication methods give businesses several options for securing networks against infiltration. Building stronger authentication into existing access management policies reduces risk and provides the agility needed to adapt to modern security challenges. IT teams should evaluate current authentication methods to determine where vulnerabilities exist and implement appropriate controls to prevent attacks.
In order to manage cyber and data security risks, organizations assign a qualified person tasked with creating and maintaining a security program which includes policies, standards and guidelines. A security policy is a high level security statement that dictates how a particular security risk should be handled throughout the organization such as “all devices must be encrypted” while standards require the use of acceptable methods and tools for implementing and enforcing the policy such as the use of “Advanced Encryption Standard (AES) 256” while guidelines offer additional information.
Managing information security is one of the highest priorities in many organizations, especially those operating under heavy regulatory mandates and requirements. As we all know, information leakage and data breach is a high risk that can negatively affect organizations’ reputation and financials. Organizations that experience a personal and private data breach can expect to face loss of customers, industry trust and credibility, money, competitive advantage, and increased regulatory scrutiny.
It has been acknowledged that some executives and members of the management team may override information security policies (and let other employees violate the policies) by asking the CISO for a special treatment because the policy is a burden to their productivity and a bunch of other reasons.
A security policy override may come in a various forms. If the violator feels powerful in the company and knows that his or her wishes can not be rejected, the person will make a formal request to bypass the security policies at will. Other times, the person may just ignore the security mandates and violate the security policies without notifying the CISO as they might feel it’s a waste of time, the policy does not apply to them, or the request may be rejected and that they can get away with it when detected because of their powerful position.
To be fair, some executives may abuse their power and override security controls because either they don’t even know that their actions are in violation of security policies or they are not fully aware of the consequences of their security violations and how their actions may pose a risk to the company. As mentioned, they might just ignore the security policies because they are busy or even worse they might be planning to commit a fraud.
To deal with security violations, strong detection controls must be in place and communicated widely to make sure everyone knows that they are being watched and that there are serious consequences for violating the security policies. That said, detecting security violations can be a daunting job and sometimes impossible as the violators may be highly technical who can clear their tracks after they achieve their goals. Also, when a security violation is detected whether proactively or during unrelated audits, usually nothing happens if there is no Board and executive committee support to deal with such violations. Therefore, it is extremely important that the security program includes provisions for dealing with the violators and that the provisions are approved and supported at the highest levels of the executive board.
Sadly enough, the CEO and other high ranking officials have other business priorities that neglect security until a security breach occurs and it is then and only then when they make decisions within minutes to improve security which they did not make before the breach after dozens of business cases to explain the risk.
In conclusion, executives and management team members like all other employees should not be exempt from following any of the company’s security policies and procedures in order to ensure continued protection of company assets including confidential information.
Identity Management Institute® (IMI) is the leading global certification organization serving professionals in identity governance, access management, and data protection.
Since 2007, IMI certifications help global members advance in their careers and gain the trust of the business communities they serve with their identity and access management skills.
SUBSCRIBE TO IMI NEWSLETTER
Identity Management Institute
20555 Devonshire Street, # 366
Chatsworth, CA 91311, USA