Betting Big on Identity and Authentication

Last year, 2020, was a year of accelerated digital transformation with COVID-19 related lockdowns pushing preexisting trends into overdrive. We saw more quantum leaps in cloud adoption, remote work and digital transformation in a single year than we’d seen in the previous decade.

Naturally, this shakeup has caused a near-perfect storm in the enterprise security world. Threat actors, too, have made quantum leaps; expanded their hunting grounds from fortified network perimeters to the unprotected home networks and unsecured private devices that are increasingly used to access an organization’s assets and resources.

While the challenges in front of us are varied, there’s a common thread connecting the most pressing cybersecurity challenges: the most urgent, painful and noticeable obstacles can be traced back to identity management and authentication.

Remote and Hybrid Workforce

One trend that will endure through 2021 is our reliance on technology for supporting a remote workforce. The number of employees working remotely is predicted to eventually settle in at 300% of pre-pandemic levels, at a minimum.

As more and more people require secure access to an organization’s resources, it becomes increasingly clear that current identity authentication methods are security deficient and lacking when it comes to employee experience. With the massive growth of long-term remote workers, organizations must rethink off-premises identity authentication security.

One crucial problem with current authentication methods is their reliance on login/password combinations. Passwords are at the root of 80% of data breaches, as they are fundamentally insecure for several reasons: endemic password reuse, credential dumps and credential stuffing and poor password hygiene, among others. As such, the future of enterprise security must focus on eliminating the most vulnerable part of any security equation – human error. Investing in future-proof identity and authentication management (IAM) technologies will become increasingly critical as more and more aspects of the business world go online.

Cloud Threats and Zero-Trust Principles

Today, there is less of a distinction between cloud and local protection, as both increasingly deploy zero-trust principles for granting access to corporate resources.

This is a stark departure from perimeter-based protection schemes. The perimeter security approach was falling out of favor even before COVID-19, as the focus on perimeter protection meant that hackers that got past corporate firewalls could move laterally through internal systems without much resistance.

The zero-trust approach opts for the “better safe than sorry” approach, and requires identity verification for anything and everything before granting access. Zero-trust no longer assumes that actors, systems or services operating from within the security perimeter should automatically be trusted.

Naturally, this approach is much better suited to the distributed workforce era.

Today, the perimeter itself is no longer clearly defined. Organizations are managing a hodge-podge of applications and data stores both on-premises and in the cloud, and users are accessing them from multiple devices and locations. As digital working environments become increasingly complex and fragmented, organizations need to adopt technologies and practices that simply and quickly safeguard identity and authentication at every entry point without detracting from productivity.

AI-Powered Attacks

AI provides efficiency and effectiveness for good and bad actors alike. Faster network speeds, combined with the sprawling use of intelligent devices, will inevitably result in more sophisticated automated attacks.

Cybercriminals increasingly turn to AI and ML technologies to create malware that teaches itself to search for vulnerabilities and automatically evolves; finding weaknesses and entry points that would be the most successful without exposing themselves.

Likewise, faster network speeds, such as 5G networks, benefit both sides. When the speed of communication between devices is much greater, bot attacks can become ever more sophisticated. Swarm attacks, involving intelligent bots that can learn from each other as the attack occurs, are going to be a more common occurrence in the future.

As with everything else in cybersecurity, when it comes to protecting organizations against malicious use of AI, preparedness is key. This includes having proper security architectures and network segmentation to reduce a company’s attack surface, as well as sophisticated identity authentication systems that employ the zero-trust principle.

Focus on Privacy and Regulation

There has never been greater awareness of the need for data protection and privacy at both the regulatory and the consumer level. 2020 has been a record year for data breaches, privacy-related lawsuits, government enforcement proceedings, as well as large settlements of new and older claims.

There has never been higher demand for cybersecurity-related legal representation, and legal teams specializing in cyber are in the midst of a hiring surge to address new privacy regulations and surging cyberattacks.

Privacy and regulation are no longer on the back burner, but at the top of CISOs’ list of priorities and responsibilities.

Organizations are more focused than ever on the protection of digital identities and success mechanisms, as regulatory frameworks become better defined. To be successful, organizations need to ensure that whoever gets access to their resources is who they say they are, not simply someone who got access to a valid login/password combination.

Amplifying Existing Identity and Authentication Resources

The lack of skilled cybersecurity personnel, combined with tight security budgets, is another challenge that CISOs must contend with in 2021. Hiring and training personnel is the last place organizations should be cutting budgets; instead, they must consider other areas where they can save, without compromising quality of service.

Stronger Identity and Authentication Management is the Hero 2021 Needs

Even though we’ve left 2020 behind, the world remains firmly in the grip of the COVID-19 pandemic. We can expect the continuation of these trends going forward, with remote workers and cloud services increasingly targeted by cybercriminals.

Cybersecurity challenges are varied, but they all can be traced to a single fundamental concept – authentication. Defining who gets access to what resources, when and where, is the very foundation of cybersecurity. One of the best ways to address the plethora of authentication-related risks is by implementing passwordless authentication.

Without the inherent weaknesses and vulnerabilities associated with passwords and weak login/password combinations, the dangers of credential dumps and endemic password reuse are no longer a problem.

At the same time, passwordless authentication makes life easier and more productive for employees and, in turn, IT support teams, by enabling them to easily and quickly access all resources and applications they need using their identity without the frustrating and time-consuming burden of memorizing dozens of credentials.

By removing the dependency on login combinations that can be lost, reused, stolen or forgotten, organizations can improve security, lower the overall TCO, and improve employee experience at the same time.

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard
Avatar photo

Raz Rafaeli

Raz Rafaeli is the CEO and co-founder of Secret Double Octopus, a leader in passwordless authentication for the enterprise. Refaeli has more than 20 years of leadership experience in the security, networking and enterprise software industries as well as an M.Sc. in Computer Science from the Technion Institute of Technology.

raz-rafaeli has 2 posts and counting.See all posts by raz-rafaeli