Recently, identity and access management solution provider Ping Identity announced its findings from the CISO Advisory Council Meeting. CISOs from industries as diverse as healthcare, banking, fashion, education, and technology met together to discuss their mutual challenges and opportunities. The members of the CISO Advisory Council have access to strategic support and can leverage best practices to infosecurity, privacy, and compliance—making their discussions a valuable resource.
According to Ping Identity CEO Andre Durand: “Our customers are the catalysts of change in the creation of products and services at Ping Identity, so we take their feedback on innovation seriously. These CISOs from leading organizations view identity as a strategic imperative for succeeding as a digital company.”
Ping Identity composed their discussions and collective discoveries from the CISO Advisory Council Meeting into two whitepapers: “7 Trends That Will Shape the Future of Identity” and “8 Things Your C-Suite Should Know About Identity.” The editors here at Solutions Review read through the whitepapers and compiled some of the key findings from both.
Here is our analysis of Ping Identity’s CISO Advisory Council Meeting whitepapers:
Passwordless Authentication Might Be the Future
In the “7 Trends That Will Shape the Future of Identity” whitepaper, Ping Identity discusses the future of authentication via contextual factors such as digital behaviors. A hacker, they reason, won’t use stolen credentials to talk to their victim’s mother (at least, not typically).
Indeed, Ping’s prediction seems to indicate the viability of behavioral biometrics. As opposed to physiological biometric factors, behavioral biometrics learn about their users through their digital behaviors including their typing habits and patterns. These new kinds of passwordless authentication will provide a more flexible and adaptive low-level identity security system.
Ping Identity does stress the low-level aspect of passwordless authentication, and we agree. From what we can tell, it will work best in a tiered identity system.
In this kind of system, more proprietary and sensitive databases require more extensive authentication than less valuable databases or network locations. In this system, passwordless authentication could be used to open up role specific, non-privileged databases as the system recognizes the legitimacy of the user based on their innocuous actions.
In either case, this kind of continual, low-level identity verification certainly will play a role in the future of enterprise network authentication.
Multifactor Authentication (MFA) Might Not Be the Solution
Or at least, according to Ping Identity and the CISO Advisory Council, it isn’t a uniform solution.
Some kinds of multifactor authentication, such as one-time passwords, will be easier to deploy but less secure. Other MFA protocols such as token-based authentication are more secure but much more difficult to deploy and maintain on a large scale. Ping recommends in the “8 Things Your C-Suite Should Know About Identity” whitepaper that you carefully examine your enterprise to pick the right MFA solution for it.
We agree with this advice and would expand on how you can adapt your MFA to fit with individual employees. A low-level employee with limited access to your most sensitive data could be authenticated with a less secure scheme, whereas a more privileged employee should be required to carry an authentication token.
Alternatively, you can attach different MFA schemes with different databases and digital assets, with the most valuable being more heavily and inconveniently secured. Different factors can fit with different parts of the network; biometrics may not be necessary for everything.
Your MFA solution can be as varied as your options of MFA authentication schemes. Don’t limit yourself or your enterprise’s identity security!
Biometrics: Up Close and Personal?
One of the most interesting points from the “7 Trends That Will Shape the Future of Identity” whitepaper is the power of proximity in biometrics. Biometrics haven’t yet experienced the kind of watershed vulnerability moment that passwords had recently. However, hackers are developing the technology to fool biometric sensors. It might only be a matter of time.
However, Ping Identity does point out that local sensors are much harder to fool and are much harder to compromise as it would require the hacker to be physically in the room with it. While local biometric sensors might be pricey, they can provide a strong protective perimeter for on-premises workers. We do advise against using biometrics at scale over the internet as that can create new security vulnerabilities long-term.
This doesn’t begin to cover the full insights Ping Identity unveils in their whitepapers. You can read more about Ping Identity’s CISO Advisory Council Meeting Whitepapers here.
Latest posts by Ben Canner (see all)
- SecZetta: The Risks of Non-Employee Access [VIDEO] - March 15, 2019
- What Does the Future of IAM Hold for Businesses? - March 14, 2019
- Radiant Logic Webinar: The Future of Identity Management - March 13, 2019