“Identity Is The Only Perimeter” How We Can Secure Our Digital Identities
Brad Jarvis, Senior Vice President and Managing Director, at HID, shares his insights on the importance of digital identity security.
The cybersecurity threat landscape is always changing, as new technologies and vulnerabilities give cybercriminals more opportunities to gain access to private data through increasingly sophisticated cyber-attacks.
In the past, security teams could secure networks on-premises by implementing physical network firewalls and email filtering technologies, alongside access control solutions to prevent physical access to company machines and datacenters.
But post-pandemic, many companies have moved to entirely remote ways of working, and we’re now much more reliant on mobile devices that cannot be secured by physical access control solutions. For this reason, identity challenges like credential theft, impersonation attacks and account compromise are increasingly putting business data at risk.
“Identity is the only perimeter,” says Brad Jarvis, Senior Vice President and Managing Director of Identity and Access Management at HID.
HID is a market-leading identity management provider, powering the trusted identities of the world’s people, places and things. Their solutions include physical identity controls such as employee key cards, personal IDs including passports and drivers’ licenses, RFID tracking, ID badge printing and embedded identity technologies used for point-of-sale systems, attendance technologies and even vending machines.
Jarvis has been leading the Identity and Access Management division within HID for the past five years, as unprecedented challenges have emerged around securing digital identities. Prior to joining HID, he has 20 years of experience working with both Software-as-a-Service (SaaS) platforms and business intelligence and identity platforms, mainly focusing on security, IoT and telematics.
We sat down with Jarvis to get his perspective on the rise in identity threats, the importance of seamless identity management and zero trust, and how businesses can stay protected against identity threats.
Why Is Securing Identity Important?
Identity-related cybercrime is on the rise. As organizations rely more heavily on digital accounts, SaaS applications and personal devices, there has been a major increase in identity-related cyberattacks and data breaches that are costing organizations billions. The ransomware attack that hit Colonial Pipeline, for instance, shut down 5,500 miles of gas pipelines until a $4.4 million ransom was paid.
But often, identity-based attacks don’t only come from external threat actors using advanced technologies to hack systems. Instead, they may come from threats and vulnerabilities that are already inside your company.
“Believe it or not, many people don’t realize that many breaches and threats come from within their own organization, through outdated systems and unsecure authentication methods,” Jarvis says.
This doesn’t necessarily mean that there are malicious threat actors within your organization looking to help cybercriminals compromise data, he explains. But users can fall victim to phishing attacks, and many users still rely on weak passwords to govern access to corporate accounts.
In fact, there is a clear overreliance on passwords, which is driving identity risks, Jarvis says. Even the use of highly complex passwords can’t guarantee account security; just recently for example, 8.4 billion passwords were leaked, potentially putting billions of accounts at risk, no matter how long or complex their passwords were.
“From what I’ve read of the Colonial Pipeline attack, that was the result of a single compromised password. This could have been stolen from a different hack, where a group of passwords and usernames were compromised.”
“These are the things that we see happening out there,” Jarvis says.
Risks don’t just come from users’ identities themselves, but also in the managing of those identities. “It’s the policies,” Jarvis says. “You need to make sure you’re onboarding and offboarding identities. If people leave the company, you suspend those passwords, not just where they were originally created, but everywhere they’re used.”
When admins manually revoke access to passwords and accounts from employees leaving the company, it’s easy for mistakes to be made and for accounts to be forgotten about—which can open organizations up to the risk of data breach.
“Really, the thing that will help with this is a focus on zero trust as we go forward,” Jarvis says.
The Importance Of Zero Trust And Seamless User Experiences
In the aftermath of the Colonial Pipeline attack, US President Joe Biden signed an executive order calling for all federal government agencies to adopt a “zero trust architecture,” and urged the private sector to do the same. But what exactly is zero trust, and how can it help us keep digital identities secure?
The core principle of zero trust is that you should not trust anything—inside your network or beyond—with access to systems without continuous verification. At the same time, users should only be able to access what they need to for their day-to-day roles, limiting the scope of data breaches if identity compromise does occur.
Zero trust reinforces the idea of identity being the only perimeter, Jarvis says. “It’s about continuously verifying the things or the people, checking who they are and integrating that into a behavioral context.”
This also includes eliminating false positives and creating a more seamless user experience. Traditional identity security solutions are built around rules, he explains, but zero trust solutions, such as HID’s IAM platform, look at the security of individual identities, considering factors like where the identity is being used, how many login attempts have been made, and unusual behaviors, such as trying to access new or unusual applications.
Making this process as seamless as possible is crucial to solving the identity security problem, Jarvis says.
“It needs to be done in a way that people will adopt it. If you make it extremely difficult, you’re going to have a lower security level, because people won’t want to adopt that. So, you need to provide the right balance between proper security and the ease of adoption, the ease of user experience.”
Banks are a great example of this, he says. During the pandemic, many banks across the US moved to an entirely remote way of working, with limited opportunities to meet their customers physically. This meant that onboarding new customers and enabling important transactions to take place digitally had to be extremely secure, but also accessible so that customers could complete the steps needed.
The question you need to ask, Jarvis says, is: “Can an average consumer adopt this security, and actually use it?”
The first step is understanding how your consumers use and interact with your services. From there implementing a usable security that feels natural to them will have a much higher chance of being secure because they won’t try to circumvent it.
The mistake that we commonly make when looking at services online is that we compare the expectations with the physical experience. We need to compare digital and mobile experiences with others alike. In the world where a Netflix account can be opened or an Amazon order can be placed in minutes, digital banking is no different.
The HID Identity Management Platform
HID’s Identity and Access Management solution provides digital identity lifecycle management that helps to secure digital accounts and deliver zero trust security. The platform helps organizations to better manage identities in their workforce, better manage the identities of their customers and, through their PKI services , better manage the identity of their network and IoT devices, websites, users, and software applications or code.
HID’s advantage when it comes to securing digital identities is that they started off in the physical security space, Jarvis explains.
“As both physical security and digital security continues to converge, identities need to cross platforms. This puts us in a prime place to help the market move for that, because we have a unified platform that supports both.”
One of HID’s main customer verticals is the airline sector. “If you think about the versatility of identities at an airport, you have everything from the barista at Starbucks, airline employees, passengers, the ground crews, you have all sorts of various identity types that have different access levels, and we help manage that,” Jarvis says.
“We blend both physical and digital security needs through a single platform but provide that frictionless experience. So, we can come into an enterprise and help improve security and compliance for their workforce, their enterprise devices, their websites, and their customers with our platform.”
“The other thing that sets us apart is our ability to support the whole identity lifecycle orchestration. We have a very strong professional services organization, so especially for mid-enterprise companies that might not have dedicated IT security teams, we can help roll out deployments and set up workflows.”
How Organizations Can Solve New Identity Security Challenges
The pandemic caused a major shift in the way organizations work, Jarvis says. But how we return to the office, and what that will look like, could cause an equally seismic shift in the importance of digital identities.
“One of the things that we saw at the beginning of the pandemic was a fast shift to full remote. We were able to help our customers through that by providing them with extended licenses for folks who, prior to that, were never remote,” Jarvis says.
“Customers needed to make sure they knew who was coming in and out of buildings, because there was quarantine going on. Organizations needed to be able to shut off access to the building for some credentials and set up employees to secure remote devices. This means credentials for employees returning to a physical work location needs to be turned back on..
“But, as they come back, I think what we have seen is the need for automation and the ability to understand who is in your facilities and has access to your networks and devices, especially if this were ever to happen again, with more sophisticated credential management.
“One of the things we’ve done is launched Chromebook Certificate Enrollment Extension (CEE) using HID PKI-as-a-service, which has automated digital certificate installation and management into enterprise devices, like Google Chromebooks. Users can come back to the office and login to their Chromebooks as they usually do, and they would be setup with their digital identities automatically. So, as a Chromebook user, you can securely be up and running on your enterprise network, completely passwordless because the Chromebooks themselves automate the deployment and installation of those certificates. This creates that more seamless experience for users.”
Going forward, Jarvis says, “We’re going to see hybrid working environments, where there’s going to be fluid movement between working remote on some days and going back to the office on others. You need to be able to have a similar experience of what you’re accessing while you’re doing that.”
Thanks to Brad Jarvis for joining us for this interview. You can find out more about HID and their suite of identity security solutions here: https://www.hidglobal.com/iam