Entrust Datacard's Vision 2019 Blueprints Future of Identity and Access Management
Author: Carolina Martinez, General Manager Americas
In June at Entrust Datacard's Vision 2019, the panel discussion, "Future of Identity, Payments and Digital Security," monitored by Tony Ball, Sr. Vice President and General Manager Secure Access for Entrust Datacard, brought together executives from Experian, nCipher Security, Visa and Microsoft. The panel discussed the future of identity, payment and digital security, noting that humans now occupy a digital world that requires that we expose our personal data and identity every day. From online shopping and online bill pay to subscribing to a medical portal requires that users provide their name, credit card information, address and even Social Security number. While most of us are more aware of security breaches, many still happily part with this information.
It all comes down to this: Convenience has made us reckless with our security.
The European Union has tried to contain this by, for example, launching the GDPR (General Data Protection Regulation), addressing data protection and privacy for all individual EU citizens. That's a start, but as Microsoft's Sue Bohn noted in the panel discussion: "Privacy is not protection."
As individuals, we must be more security aware and take ownership of our own data protection. Still, in many cases where security is readily available it is not used. Google has reported that despite providing multi-factor authentication options for users to access their Google accounts, less than 10% of the users have activated this feature. Further, most are not aware of the feature or even understand the concept.
Putting consumers in control of their own information is critical but as in the case above, few consumers take responsibility and, rather, expect businesses to keep them safe. We have at our disposal means to secure access to our accounts with one-time passwords (OTP) and other multi-factor authentication tools, but many consumers fear losing the convenience of doing things in the way they choose.
10 billion authentications by 1 billion unique identities happen every day – yet most rely on simple usernames and passwords, the lowest level of security available. Each year, SplashData evaluates millions of leaked passwords to understand which passwords were most used by computer users during that year. Even with the risks well known, many millions of people continue to use weak, easily-guessable passwords to protect their online information. 2018 was the fifth consecutive year that "123456" and "password" retained their top two spots on the list. It's clear we need to move away from user-name-and-password-only solutions and companies need to work together to make it happen.
As Kolin Whitely from Visa pointed out during the session, dealing with identity cannot be a competitive issue. Rather, companies must come together and collaborate to provide a matrix of solutions. Cindy Provin of nCipher Security noted that we are at a point of market disruption. Now more than ever innovation is key, Experion's David Britton noted, "If you have a department for innovation, you're doing it wrong." The panelists agreed that we must be deliberate about innovation and have it in our DNA.
Information such as PII (Personal Identifiable Information) needs to be devalued by vendors. Information is given freely without consideration for our security due to archaic trends established for years: Do we really need to provide our address, date of birth, and driver's license number simply to validate that we are at the legal age to be able to purchase or consume alcohol? A simple eligible or not should be enough.
So where do we go from here? Moving to cloud and implementing behavioral analytics are some of the options. Moving to the cloud allows enterprises to more closely monitor behaviors that threaten security. Zero trust networks are not good enough; we need to think of zero trust access. The notion of risk as an evaluator is key in the new active directory (risk authentication before they authenticate), because it will require a user to add second factor when it's needed.
Also crucial is building policies differently. Rather than creating policies and then sourcing the means to apply them, companies should determine the key attribute, that will define the identities risk evaluators will use to authenticate. This will result in policies that embrace zero trust: "never trust, always verify".
What does the future hold for identity solutions? Companies can understand users through unique characteristics, our voices and gestures are unique. Will we have to chip ourselves? Several of the panelist agreed that it's a strong possibility...
Versasec makes it easy for businesses to scale and manage their multi-factor authentication needs. To learn more about how vSEC:CMS can help protect your customers and employees, contact Versasec here.