Death to passwords: identity management in the modern age
By Deepak Narain, Regional Presales Manager – MENA, VMware, one of the world’s leading enablers of digital transformation.
Who are you? And can you prove it?
These are the two questions your technology asks you every morning. And we now have a variety of ways to answer them: from typing complex, though hopefully memorable, passwords, through to scanning our finger prints on our phones. Identity management is a critical part of our IT experience, protecting our data and ensuring that our confidential information is kept away from prying eyes.
When you think about it, business mobility is also driven by identity. From managing your calendar, accessing emails, ordering a taxi or buying food – each application is tied to a specific identity, perhaps an IP address, work profile or social media account. On our personal devices, authentication is simplified and built for easy access, often bypassing sign in to favour a federated identity approach in which all apps are accessible once the hardware is initially unlocked.
However, when it comes to organisational processes – such as storing customer data, or calculating payroll financials – this level of security simply won’t cut it. In order to stay compliant with industry guidelines, businesses must place their data behind more complex barriers as a protection against external threats. This poses its own challenges: while users expect a ‘consumer-simple’ experience, balancing it with the requisite level of enterprise security is near impossible. For users, trying to access organisational data can seem more trouble than its worth – requiring VPN access for some applications; two factor authentication for others. Productivity slows down, employees become frustrated and the benefits of a mobility investment are quickly eroded.
This is the crux of the issue: tech only works if the process is understood by the user – anything else is a failure. Addressing the issue of identity management means thinking about two areas: authentication and security.
Although written passwords have long been the preference for security, the tide is beginning to turn. Once again consumer demand has been the catalyst for organisational change; for today’s technology users, now accustomed to accessing their mobile devices via a fingerprint, having to type long passwords to access their organisation’s IT seems terribly old fashioned. It is also not as effective – passwords can be guessed, or even broken with the right technology – indeed, an experiment by Ars Technica demonstrated how easily this could be done, with one hacker cracking over 14,800 passwords in less than an hour by using a computer cluster.
Part of the emerging advancements in biometric security include thumbprints being accompanied by retinal scanning as well as facial and body language recognition. And while we may be some way off the biometric identification technology that was central to the recent film X-Men: Days of Future Past – in which the mutant population could be identified with a remote scan of their genetics – biometrics technologies are gaining increasing traction in the industry. Indeed, Google has vowed to use the technology to kill passwords – and it wants to do so before the end of the year.
All this means that while data will be stored securely, access will be easier than ever.
Bringing it to the business
Identity management will always be crucial, and biometric authentication is just one method that we will see organisations using in the future. There are, however, other software-driven systems – such as key-stroke tracking – which can bridge the gap and help change an organisation’s culture in preparation for a more fluid and dynamic IT system. While the enthusiasm and desire for improved accessibility may be there, the technical know-how is not always present. With many organisations operating with legacy infrastructure, it can be a challenge to bring newer technologies into the IT estate. Businesses need a technology partner that can help them bridge this gap.
In the cloud era, identity management needs single sign-on so that IT can continue to manage the one-to-many relationship between a user’s corporate identity and all the other identities they carry across the cloud in both SaaS and mobile apps. When a user arrives, or more importantly leaves a job, access should be granted or revoked immediately. And for time-strapped IT departments, this should be streamlined and automated, eliminating the manual – and error-prone – ticket processes typically used to provision and de-provision users.
The old world of perimeter defence is dead, now a CIO will find that their organisation’s applications and information are everywhere, both inside and outside the walls of the data centre. At its heart, modern identity management is about understanding and controlling the sprawl of data and applications. For employees, it is about having an access to an identity that is ‘consumer simple, enterprise secure’; an online version of themselves that the organisation’s infrastructure will recognise and let into the system quickly.
You know who you are, so should your business.