Lately, cybersecurity has been the place where IT’s optimism goes to die.
It’s been a tough road for companies and organizations the past few years as their network defenses have been bent and broken on a consistent, and often dramatic, basis. Hacks that topple over a billion user accounts are shocking and make a solution seem impossible. But IT is resilient despite on-going challenges in staffing, budgeting, and time.
The question is will a new year bring improvements in cybersecurity, specifically around authentication and access controls? There is no doubt that the environment is caustic. Through last week, the Identity Theft Resource Center (ITRC) has identified 980 hacks in 2016, and the exposure of 35,233,317 records. Business and Health Care were the hardest hit vertical industries.
In 2015, the number of recorded hacks was 781, which was the highest number since 2005. In that year, ITRC was compelled to announce “breaches have become the third certainty in life.”
That’s a grim reality for IT, online services and end-users. What could happen in 2017 that might give the good guys a fighting change against the bad guys? Here are three thoughts that might help define progress next year.
While it might seem like no one is paying attention, internet users are starting to realize their data has value. And it’s a value that deserves better than a password. This is the first move in what will be a multi-year culture shift. Most everyone is sick of passwords, but they will not go away next year – or for many years after. But they have to be removed as a security boundary. Passwords should only be used to signal that a user wants access to a resource. Then the user must produce a secure credential to back up who they are, and then tie into an evaluation of authorization for privileges – and perhaps operations like risk assessment (more on that later).
A recent study by TeleSign showed that 73 percent of respondents want companies to provide extra layers of security beyond the password. The survey also revealed an 18 percent increase in the number of consumers that currently use a second-factor for authentication for at least one online account. Of those, 77% have turned it on for at least one new account in the past year. That’s not a culture shift, but it is an encouraging sign. 2017 has to provide momentum.
If identity is indeed the new security perimeter, than the underlying technology for that perimeter must be built on standards. Without standards, dead-ends emerge that block the flow of identity-based access across the security boundaries of enterprises and online service providers. Today, standards built on OAuth 2.0 and its derivative protocols have gained acceptance as a new foundation to augment or replace current IAM infrastructure, which is mostly built on the Security Assertion Markup Language (SAML). OAuth-derivative OpenID Connect addresses authentication needs and companion technologies like clients built on AppAuth provide hooks to bring mobile devices into the fold. In addition, the FIDO Alliance is on the verge of further enriching strong authentication to protect resources on desktops, browsers and mobile devices. FIDO also has the potential to take a major bite out of phishing, which costs companies with 10,000 or more employees as much as $4 million per year, according to the Ponemon Institute. Separately, existing standards for encryption and digital signing could secure the integrity of data, which Steve Wilson of Constellation Research refers to as the “authentication of data.” These standards have to show maturity in 2017 if the year is to be a milestone.
Identity and authentication is not a 12-month turnaround. Secure identity is one thing, but there is a fabric of cybersecurity defenses that further improve access control. Trust and risk assessments, analytics, data loss prevention, signaling and other technologies are key capabilities for security. End-users seeking resource access will be interrogated on the back-end by having their credentials, their habits and their locations examined and cross-referenced. The concept of Continuous Authentication will incorporate all these variables and keep users moving securely among resources. Also, strategies and standards need to mature to pull mobile devices and the Internet of Things into this access control gauntlet.
Gartner says that companies of 1,000 or more employees spent on average $1.6 million on IAM in 2016. Most of those companies expect to spend more in 2017, including replacing one or more aging and current IAM systems that aren’t meeting today’s sophisticated needs. All this coordination will take collaboration. In 2017, enterprise and service provider security staffs must show holistic efforts around deploying cybersecurity and IAM solutions. Without cooperation across an organization, building out authentication and security won’t be tactical or effective.