The password is dead (or is it?) and the identity and access management (or IAM) era has begun.
What is identity and access management? It’s the process of authenticating a user to ensure that an organisation has got control over access to systems and data, and that the right people are getting access to the right information.
Let’s break it down.
Identification is when a user claims to have an identity — a username, for example — and the authentication part of that is the process of proving their identity. This would typically occur when they provide certain credentials and if that’s proved correct, then that becomes an authenticated user.
Sounds simple — “but what that really means in practical terms for businesses is that business users typically have a huge range of business-related usernames and passwords,” says Mike Newman, CEO of My1Login — the IAM solutions company. “They have a number of business identities that they have to manage, which don’t integrate or join up neatly together.”
In this environment, which everyone reading is familiar with, business (and even consumer) users have to manage their own passwords and that ultimately, puts the business at risk because they tend to do insecure things.
Users, typically, use weak passwords and they store them in insecure places, like spreadsheets, mobile phones or in a Word document on the server.
“All of these scenarios put the enterprise at great risk,” continues Newman. “If you look at the data, it shows that in 81% of data breaches, passwords are involved at some point in the attack vector. So it’s creating a huge risk for enterprises.”
Much more than just security — the future of identity and access management
Enterprise vs SME
What is the password-landscape like in the larger enterprises compared to SMEs and startups? Have the more established, wealthier companies moved beyond passwords or are they stuck with legacy applications; and are the SMEs steaming ahead?
Both in SMEs and larger enterprises, they are dependent on a number of large enterprise applications. They have certain authentication protocols that they are compatible with, “which makes them a bit easier to integrate with a single sign-on capability,” confirms Newman.
However, especially in the largest organisations, there are a huge range of applications out there that the enterprise doesn’t know about, because the users and departments have adopted them without IT knowing about it — shadow IT. This makes integrating a single sign-on capability challenging.
For instance, Newman explains that it’s much easier now to sign up for a cloud app and start using it — “a department can be using a cloud app and relying on it for business use without IT knowing about it. So there’s a huge risk with shadow IT where applications still use passwords and those passwords can protect critical data. If those passwords are compromised, it can put the business at risk.”
The death of the password in the authentication age
Death of the password?
The password is not dead.
The death of the password has been heralded since the Hewlett Packard, in the mid 1990s, introduced biometric fingerprint scanning into laptops. But, it is still pervasive.
Biometrics have become more common in personal devices and mobile devices, it’s true. But, there are still a range of applications out there that are hugely dependent on passwords as their primary method of authentication.
In any enterprise or small business, there’s still a heavy reliance on passwords and often businesses don’t even know the extent to which applications are being used in the business.
“Until we have a world where all the providers of all applications decide on a common standard to integrate with, we are a long way off from the death of the password” — Newman
IT might know about the common apps that are used in that organisation, but they may have no visibility of these applications that some departments have adopted autonomously.
To give an example, My1Login worked with one smaller organisation who thought it had about 40 applications in use across the business. When they switched My1Login’s solution on, the technology discovered there were actually 600 corporate applications being used. All of these are now integrated fully with a single sign-on.
“It’s really about using identity and access management solutions to overcome those challenges and make it easy for the user and make it more secure for the organisation; but still recognising that passwords are here for the foreseeable future,” says Newman.
Facial biometrics: assuring genuine presence of the user
IAM: more secure
Identity and access management is more secure than password-dependent applications, because it takes the requirement to manage passwords out of the hands of users.
Users, typically, do insecure things with passwords; they either use relatively weak passwords that are memorable, or they write them down somewhere, or store them in insecure places — all that puts the business at risk.
IAM solutions take those passwords out of the hands of users and puts the business back in control of managing them: the users don’t even need to see or know about the passwords anymore, because all they do is they navigate to the application and the solution can determine whether they have the right to access that application and if so, it will authenticate them.
“You’re taking the passwords away from the users,” simplifies Newman.
My1Login can be used to eliminate phishing. That sounds like a very bold claim, but I’ll explain how that’s done.
On the My1Login system you can set a policy. Let’s say you discover that users are using a cloud application; let’s say it’s ServiceNow, for instance. You can set a policy on My1Login to force a change to the user’s password for ServiceNow and make it, for example, 40 characters long (totally random, high entropy), but then hide that password from the user under the My1Login system, because the user doesn’t need it anymore.
If the user doesn’t need it any more, and they can’t see the password, they don’t know the password and if they don’t know the password, how can they be phished for it?
Scaling identity and access management
Cloud IAM solutions exist in a part of the market called Identity-as-a-Service.
The technology is largely cloud-based, which means that it’s incredibly easy to adopt and roll out at scale across an enterprise. And typically, the first users can be up and running within a matter of an hour, because the core intelligence is already there in the cloud.
Typically, this type of IAM is very lightweight and easy to deploy.
Tech Nation’s cyber security cohort: My1Login company profile
Passwords and data: one and the same
Storing passwords is as critical as how an organisation secures data.
Solutions that send the passwords up to their servers and then encrypt them on their servers using keys that they have access to is a dangerous game. This creates a fundamental security risk, in that the vendor has the keys and the data at the same time and in the same place.
Secure identity and access management solutions that run the encryption client-side are crucial.
“This means that the customers’ passwords get encrypted inside their environment and all we store is the output of the encryption process, which is impossible to decrypt without the relevant encryption keys. And we don’t have access to them,” explains Newman.
My1Login is part of Tech Nation Cyber — the UK’s first national scaleup programme for the cyber security sector. It is aimed at ambitious tech companies ready for growth.