identity Archives - Security Buyer Magazine

The question of digital identity needs to be taken seriously

Malte Pollman, CSO, Utimaco explains the importance of digital identity. In eCommerce and digital finance it is vital that the person logging into an account is the person associated with it. Fraud does happen in physical spaces, but it is much rarer because a person trying to pay on a card can simply be asked for an identity document like a driver’s licence to prove their identity, and even if they have somehow forged a driver’s licence they will be visible on security cameras. Digital spaces don’t have anywhere near that level of deterrent – anyone with a username and password can potentially access an account as if they were its legitimate owner. The idea that there should be ways of proving one’s identity digitally that are as secure as those in the real world is not new. The UK government has already created a framework that would allow private companies to create digital identity systems, called Verify. Although they have now been taken off the table, a hypothetical ‘vaccine passport’ would have also bridged the gap between analogue and digital identities. Analogue identity checks are based on a document with a high level of protection against forgery which is issued by a trustworthy authority – a passport or drivers license for example – and are considered the gold standard when proving identity. How can we create something just as trustworthy and secure in the digital space? How are digital identities created? Currently, many websites offer customers the option of logging in via existing Google or social media accounts, often secured with two-factor authentication or app-based verification. These are, by definition, digital identities but they are flawed in that anyone can create a new Google or Facebook account and there is no need to use a government-issued ID to verify your identity when setting one up. There is no equivalent of what the UK government wants to create – a single digital ‘document’, perhaps based in an app with biometric identification, that allows anyone to prove that they are who they say they are. It would necessarily have to involve submitting analogue forms of identification like passports when setting one up, which would then have to be verified as authentic either digitally or by humans, both of which have their problems and a potential for fraud and identity theft. The transfer of an analogue proof of identity into the digital space is only one of the challenges with electronic identities. The other is to protect eIDs against misuse and data leaks. This means that there must be a simple way for a verifying authority to determine whether an eID presented to it is genuine. Under the new UK digital identity plans linked to above, the authority that issues and manages the digital identity plays a major role: the ID’s integrity is guaranteed either by the fact that it is issued by government institution or through certification and audit procedures if it is a private company. The checking authority knows which issuers of certificates that confirm the digital identity are considered trustworthy and will generally only accept such certificates – in the UK, they will have to follow a trust framework. However, each time an ID is used it will still need to be clarified whether the certificate is genuine. This requires a process that guarantees a very high level of protection against forgery as well as easy verifiability and can be automated. This is where asymmetric cryptography comes into play: the method is based on a private and a public key connected to each other using mathematical operations that are difficult to reverse, such as the multiplication of large prime numbers. Generating the public key from the private key is therefore trivial but getting to the private key from the public key is extremely difficult. The public key can therefore be made available to everyone. If this matches a certificate that was created with the corresponding private key, the certificate is considered authentic. Any digital ID framework will have to be based on a public-private key architecture. Asymmetric cryptography is a highly scalable, robust method for keeping digital IDs secure, already used in thousands of applications in the public and private sector. Promising approaches But there is also an Achilles’ heel to asymmetric cryptography: the private keys must absolutely remain secret. Regardless of whether they are private trust service providers or state institutions, anyone who offers identity services based on private and public keys must ensure that the private keys are optimally protected. Hardware Security Modules (HSMs) are the ideal choice for generating and securely storing strong private keys. Compared to software solutions, they have the advantage that the keys themselves are not read into the main memory of a computer, which means that they cannot be compromised remotely. Some HSMs also have a real random number generator – important for generating top-quality keys – and are designed to resist next-generation quantum computing. Digital identity documents solve a key problem in the digital world: being able to tell that somebody is who they say they are. Although there is likely to be a civil liberties pushback if a UK digital ID were mandated, they are likely to slowly become more common. For this reason, they need to be secured to the very highest standards, and the level of security that is possible with modern hardware security modules will be a key way in achieving this. To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here. Media contact Rebecca Morpeth Spayne, Editor, Security Portfolio Tel: +44 (0) 1622 823 922 Email: editor@securitynewsdesk.com

The question of digital identity needs to be taken seriously Read More »

Okta advances customer identity with Auth0 and New Okta Features

UK News Desk / Rebecca Morpeth-Spayne

Okta announces continued growth and advancements in both Okta’s and Auth0’s Customer Identity and Access Management (CIAM) offerings at the company’s annual Showcase event. Marking the first joint event since the Auth0 acquisition closed in May, the team will share their vision to jointly grow the CIAM market, and launch new capabilities from Okta’s Customer Identity products, including Device Authorization Grant, Branding, and Custom Administrator Roles. The live-broadcasted event from company headquarters in San Francisco will commence at 9:30AM PT. The development time and continuous optimisation required to deliver safe and superior digital experiences across devices and applications is increasingly burdensome and complex for companies in today’s marketplaces. It requires customisation per application, specific coding, and additional security measures to protect against the evolving threat environment. The risk of security and deterioration of the end user experience is a key challenge. Identity is the common foundation on which organisations can build both secure and frictionless experiences. A new era of identity-first security has emerged as a result and is driving demand for CIAM. Early adopters of CIAM now have a distinct competitive edge. Okta’s acquisition and continued investment in Auth0 is at the centre of this growing demand and massive $30 billion market opportunity for CIAM. Okta announced its plan to operate as one combined company, with two CIAM product units across both Okta and Auth0, providing customers with more choice in how they want to deploy CIAM. Okta and Auth0 enable organisations to deploy digital customer-facing experiences that overlay security, governance, privacy, and engagement policies throughout a customer journey, without making tradeoffs to usability. The growth of each platform and the benefits they bring to varied use cases is why Okta will continue to invest in both. Continued investment in Okta’s CIAM offering includes the release of key new capabilities, including: Device Authorisation Grant: Simplify and secure the registration and access for end users across input-constrained, shared, and IoT devices (like Smart TV apps, smart speakers, kiosks, and terminals), improving user-experience, reducing abandoned registrations, and increasing security for users regardless of interface. Branding: Communicate with confidence and go live faster with consistent branding across login, error pages, and email templates without wasting hours of developer time. Customers can deploy their brand templates without adding custom code, ultimately providing ease of implementation. Custom Administrator Roles: Spend less time on the governance of who has access to what and more time focusing on the challenges that will drive businesses forward. Enable Super Admins to follow the principle of least privilege by creating granular roles for admins to manage their users, groups, and applications. Easily apply a flexible approach to administration that fits each unique organization structure, ensuring each admin has the right level of access they require. “As a data-focused organisation, security is of the utmost importance to us. Okta’s Custom Administrator Roles allow us to follow the principle of least privilege and only grant admins access to the tasks they need to perform across our many business units. We save time for our internal teams and ensure the best-in-class security of our customer applications.” said Atul Bahl, Vice President of Cloud Infrastructure, Verisk Analytics. “Identity sits at the core of all digital experiences and provides the security, agility, and usability needed to quickly adapt to any current or future challenge,” said Todd McKinnon, CEO and Co-Founder, Okta. “Together, Okta and Auth0 deliver the most comprehensive approach to customer identity. We are investing in and supporting both platforms, and we are proud to empower our customers to choose with confidence.” Availability Okta’s new features, including Device Authorisation Grant, Branding, and Custom Administrator Roles, are all available today in early access. Customers can opt-in to use all three new capabilities in the Okta Admin Dashboard. Device Authorisation Grant and Branding will be generally available in Q4 2021 and Custom Administrator Roles will be generally available in Q2 2022. To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here. Media contact Rebecca Morpeth Spayne, Editor, Security Portfolio Tel: +44 (0) 1622 823 922 Email: editor@securitynewsdesk.com

Okta advances customer identity with Auth0 and New Okta Features Read More »

82% of European organisations are increasing their Zero Trust security budgets

UK News Desk / Editor

Organisations have become more security conscious over the course of the pandemic, leading them to invest heavily in Zero Trust, according to a new study from identity firm Okta. The State of Zero Trust Security 2021 report surveyed over 600 global security leaders about their initiatives and found that remote work has led to a change in how organisations view the importance of Zero Trust, with financial services, healthcare organisations and the software industry seeing the most significant progress. More than three-quarters (78%) of companies globally say that Zero Trust has increased in priority and nearly 90% are currently working on a Zero Trust initiative, up from just 41% a year ago. In 2019, Zero Trust was a priority for only 18% of European companies. Now, two years later, the region is the most mature globally when it comes to Zero Trust adoption, with 90% either having fully implemented the strategy or planning to do so in the coming months. As such, 82% of European organisations have increased their Zero Trust budgets in 2021, while not a single business in Europe says their budget has decreased. This comes during a period where cuts have been widespread, indicating the importance of Zero Trust as a security measure. The greatest challenges for European organisations in adopting a Zero Trust infrastructure include: Cost concerns (26%) Technology gaps (22%) Stakeholder buy-in (19%) Awareness of solutions (15%) “This research comes as cybersecurity remains a key challenge for organisations, following the heightened risk landscape created by the pandemic,” comments Ben King, Chief Security Officer, EMEA at Okta. “To avoid becoming the next victim of a data breach or attack, organisations are moving towards a more robust and comprehensive security posture that is centered around the Zero Trust principle of ‘never trust, always verify.’ Businesses must recognise that people are the new perimeter, and adopt strong authentication across all services, everywhere — from on-premises, to cloud, to mobile, and for employees as well as customers, partners, contractors, and suppliers.” The most used security factors: the steady rise of biometrics Okta’s research also reveals that companies are continuing to use low assurance factors, with the majority of companies still relying on passwords (95%) and security questions (68%). However, compared to the rest of the world, Europe has more widely implemented mature security factors, like biometrics, hardware one-time passwords (OTPs), and push notifications. 56% of organisations in Europe are already utilising biometric technology, compared with 43% for the rest of the world. Globally, biometric technology has continued to skyrocket, with 45% of global companies, and over 50% in financial services and software, using biometrics as a high assurance factor. “Overcoming the reliance on passwords is not going to happen overnight, but organisations can start with adopting contextual factors to ease authentication processes,” Ben King comments. “By embracing passwordless technologies such as biometrics and contextual factors, businesses can increase security and tackle data breaches more effectively.” To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here. Media contact Rebecca Morpeth Spayne, Editor, Security Portfolio Tel: +44 (0) 1622 823 922 Email: editor@securitynewsdesk.com

82% of European organisations are increasing their Zero Trust security budgets Read More »