CS Jul-Aug 2023

More documents

Recommendations

Info

identity & access THE NEW ROAD AHEAD A NEW NATIONAL ROADMAP FOR IDENTITY AND ACCESS MANAGEMENT SINGLES OUT STRATEGIC OBJECTIVES, ALIGNS EFFORTS WITH NATIONALLY DEFINED PRIORITIES AND SUPPORTS LONG-TERM PLANNING With the National Institute of Standards and Technology's draft roadmap for identity and access management (IAM) clearly signalling a strong push for meaningful change, NIST is now carefully considering the responses that it sought on where it is hitting the mark and where the roadmap might need to be beefed up (feedback closed on 1 June). Amongst the specific questions that NIST wanted addressed were: Are the guiding principles clear? Are any important principles missing? Do any of the strategic objectives need clarification? Are any key objectives missing? Are there specific activities, research or guidance that should be included and, if so, why? Which strategic objectives are most likely to have an impact and should be prioritised? Why is the roadmap so important? "As we become more reliant on connected technologies, we also become more reliant on authentication," states Tim Hollebeek, industry technology strategist, DigiCert. "Offline, we use our handwritten signatures or show photo ID against which our visages can be compared. Online, however, our identities have to be verified remotely and many of the ways in which we currently do that are aging badly. Passwords, for example, have been an enduring part of authentication for decades. They've also been an enduring risk for organisations whose passwords can often be easily guessed, are easily forgettable and are often reused across accounts." Similarly, users are now demanding greater levels of privacy and greater autonomy over what they share and with whom. 'Mobile driver's licence' standards are also emerging out of private and public sectors - such as the EU's digital identity wallet - which aim to provide a digital solution to mirror the authority of an offline photo ID for remote identity verification. It is amid this shifting landscape that the NIST roadmap intends to guide organisations to a modern authentication framework, he adds. "Any new guidance on Identity and Access Management will have to deal with new realities, such as the rise of remote work and the increase of workers accessing corporate resources through VPNs and from noncorporate Wi-Fi," adds Hollebeek. "The first stage of improving authentication is to take authentication responsibilities out of users' hands. Humans - as they say - are the weakest link and so the responsibility for authentication should be shifted away from them and towards technical solutions. Digital certificates offer a way to do that, offering seamless and strong authentication for users, based on Public Key Infrastructures." He argues that authentication processes should be automated to as great an extent as possible to handle the variety of devices, users and other assets that will be requesting access to a given network. "NIST is absolutely clear on this when it comes to digital certificates. It states in its SP 1800-16 framework: 'Automation should be used wherever possible for the enrolment, installation, monitoring and replacement of certificates, or justification should be provided for continuing to use manual methods that 20 computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk
identity & access may cause operational security risks.' "However, NIST's IAM guidance eventually concludes it needs to tackle the reality of the modern network. That means relying on automation to take responsibility for authentication out of users' hands and leaning towards technical indicators to verify endpoint, device and user identities." NEW ERA OF DIGITAL IDENTITY According to a report from API-focused identity and access management company Curity, UK organisations and consumers are ready to embrace a new era of digital identity. Some 63% of UK organisations either currently use digital identity or have plans to incorporate digital identity solutions into their operations, it reports, with 61% of those planning to do so within the next year. Additionally, 52% of UK firms have plans to incorporate new and emerging decentralised identity solutions. UK consumers are also displaying a growing familiarity with digital wallets, with 58% of consumers currently using them and half of consumers that don't currently use digital wallets considering them in the future. The report, titled 'Plotting the Roadmap for Digital Identity'. surveyed 200 IT decision makers (ITDMs) in the UK and US as well as 1000 consumers to better understand the rapidly changing digital identity landscape. This report comes as the UK government introduces a new trust framework for digital identities. The findings show that 60% of organisations surveyed expect digital identity to have a transformative impact on their industry, with financial services (89%) and health (86%) seen as two of the industries that are likely to benefit most from the latest innovations in this area, according to ITDMs. Other key findings show that top security challenges posed by digital identity for ITDMs are hacker sophistication (39%) and lack of appropriate infrastructure (37%). With organisations facing increasing pressure to protect customers' data, continued innovation and development in the digital identity space could not be of greater importance, states Travis Spencer, Curity CEO. "While there are encouraging signs that businesses are adequately prepared for the paradigm shift that decentralised identity will cause, the winners after the move will be those that cultivate trust among consumers. "The question of how digital identities are managed and by who will continue to be key over the coming years. To keep up with this pace of change and consumer expectations, digital identity must be on the priority list of enterprise architects and strategy makers." ALIGNMENT OF NEEDS What Belton Flournoy, managing director, Technology Consulting, Protiviti, finds most interesting about the NIST's upcoming focus areas is the alignment to what he perceives to be growing business needs. "For example, people are tired of having 20 passwords they must remember, many of which must be changed every few months. People want a seamless and secure experience. We are also seeing companies speak about the importance of the 'employee experience' today, the way they have the 'customer experience' for years. "The NIST IAM roadmap will look to address some next-generation security areas,", he says, "including enhanced facial recognition guidelines, enhanced contactless fingerprint capture, guidance related to identity management via mobile devices and an implementor's guide to modern authentication technology, to name a few. "This expansion will provide organisations with a stronger suite of reference materials to help take their security to the next level. The future is now, and it is an exciting time to be working in the identity and access management space." To access the NIST IAM roadmap, click here. Tim Hollebeek, DigiCert: the first stage of improving authentication is to take authentication responsibilities out of users' hands. Belton Flournoy, Protiviti: people want a seamless and secure experience. www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security 21
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6: news Gary Barlet, Illumio. IBM EXPA
Page 9 and 10: DON’T SaaSSS GET YOUR KICKED! ! T
Page 11 and 12: ansomware WHY BEING AGILE MATTERS W
Page 13 and 14: privacy crisis an inconsistent pict
Page 15 and 16: Infosecurity Europe Matthew Syed's
Page 17 and 18: Computing Security Secure systems,
Page 19: workplace welfare within the cybers
Page 23 and 24: managed services Unfortunately, man
Page 25 and 26: GDPR that bridges the gap between t
Page 27 and 28: GDPR legislation in other parts of
Page 29 and 30: AI enhance SOAR with a generative A
Page 31 and 32: cyber strategy SECURITY BY DESIGN N
Page 33 and 34: ansomware attacks While laws could
Page 35: Computing Security Secure systems,

CS Jul-Aug 2023

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?