The future of innovation in identity access management (IAM) includes increased use of biometrics, the blockchain technology used in identity management systems, IAM for cloud services, and edge computing with IoT devices.
Biometrics Used for Identity Access Management
One of the megatrends is to more fully incorporate biometrics such as fingerprints, retinal scans, and facial recognition to better identify authorized users for networked systems. At first glance, this seems to provide a fool-proof way for systems to recognize individual people with near certainty by using their unique biometrics.
Increased Security Risk from Using Biometric Data
It is counter-intuitive to realize that using biometrics may increase security risk. They introduce a vast array of new cyber-attacks that are possible with the fraudulent use of the stolen biometric information. The problem is that unlike a complex password, which can be changed if compromised, a person’s biometrics cannot be changed. Biometric information is permanent. If the biometric data is stolen it cannot never again be used for identity verification thereafter with any certainty.
Beware of the Theft of Biometric Data
A case in point is the recently announced huge breach of biometrics data experienced by Suprema as reported by Techerati. Before this breach, Suprema was considered a global security leader in biometric access control systems. Suprema owns a database called Biostar 2 that is integrated with the AEOS access management system created by Nedap. AEOS used by more than 5,700 organizations worldwide in over 80 countries, including UK law enforcement. Nedap’s slogan is “Imagine you don’t have to worry about security.” Oh, really?
The data breach of Suprema’s Biostar 2 database involved 23 GB of highly sensitive, unencrypted confidential data files that included usernames, passwords, personal information, facial recognition data, and millions of fingerprints.
There is no need for the presence of the physical person if their biometric data files are compromised. All that is needed is their data. Theoretically, the millions of those fingerprints are now permanently no longer useful for identification because they are compromised. It is time to rethink the usefulness of biometric data. It may provide a false sense of security that is not warranted for network-wide deployment.
In the future, IAM that uses biometric data needs further security work to protect the biometric data from being compromised. Third-party risk of the biometric data being compromised is a real problem for a company like Nedap that relied on a company like Suprema to protect the biometric data.
Blockchain and Identity Access Management
Blockchain technology applied to identity access management attempts to address the problems with maintaining identification information in a centralized system. As demonstrated with the breach of Suprema’s biometric database, having all the identification information in the hands of a third-party creates the risk that they will not adequately protect the information.
Moreover, the personal identification information in such centralized systems is not controlled by the individuals. Instead, the information is owned by the third-party services provider. This may be a fatal flaw with such centralized designs that blockchain technology can address.
Self-Sovereign Identity
The identity information of a person should be their personal property that they control. This concept is called self-sovereign identity.
Keeping this information protected by encryption in a permanent blockchain using a decentralized distributed network system, gives the individual full control over the data. This avoids the conventional security risks of data stored in a centralized database.
Blockchain Smart Contracts for IAM
One proposal is to use blockchain technology to create a smart contract-based IAM system that allows users to control their identities and associate them with certain attributes in order to achieve the goal of self-sovereign identity.
Identity Access Management for Cloud Services
Another important one of the identity and access management trends is the role of cloud user access management software. Digital identity is very important when using cloud-based services. For example, the largest cloud services provider in the world is Amazon Web Services (AWS). IAM in AWS is a critical function to make sure only authorized users have access to critical data and applications and customer identity is managed for security risks.
IAM and Single Sign-On Systems
One of the IAM trends is to use single sign-on (SSO) systems with multi-factor authentication that grants privileged access to hybrid systems that may consist of cloud services combined with on-premises networks.
Many providers are now offering identity access management as a service (IAMaaS) that provide the SSO function based on the demand for these solutions. These solutions will continue to grow along with the increased migration to cloud services.
IAM and the Internet of Things
The explosive growth of the Internet of Things (IoT) comes along with a huge need for secure identity access management. Every type of IoT device added to a network increases the security risk exponentially.
For example, security camera systems in smart homes that are meant to improve security can be hacked by unauthorized users to spy on the occupants. Something as innocuous as being able to turn on a hot tub, to heat the water before using it, can tell a criminal hacker that the residents are not in the interior of the house, giving them an opportunity to burglarize the place.
Other examples of risks include inexpensive IoT devices that used biometrics, such as a fingerprint scan, to activate them. Most of these devices are not storing the fingerprint data securely.
IoT devices that collect personal medical information are good for tracking health issues; however, who controls the data collected and the uses that can be made of the data are areas of serious concern.
Another area that developers are working on for IAM systems, is to create the ability for the system to authenticate the access needed by a huge number of devices. One solution is to push as much of the computational needs out to the “edge.” This makes the devices do as much of the processing of the information as possible.
In many cases, securing IoT devices will be achieved by having the device identities embedded in the processing chip of the device as an integral part of the hardware.
Much work still needs to be done to provide an overview of networked IoT devices that is useful for system managers. The goal for IoT connected devices is to leverage the collection of data from the devices by linking it directly to the business systems. However, this linkage creates a huge security risk if not managed properly.
Context-Based Identity and Artificial Intelligence
Context-based identity management correlates data about an individual user that is relevant for the identity being authenticated. Relevant data includes many factors such as behavioral patterns, physical locations, preferences, usage, and system information such as an IP address and a machine address.
Using artificial intelligence (AI) programming algorithms to data-mine the Big Data can uncover the relevant data patterns as part of the data analytics. This type of analysis is already being extensively used by the banking systems globally to reduce fraud.
AI-based machine-learning systems can get to know a person so well that all the data collected about them, combined with multi-factor authentication, will securely identify most people.
Conclusion
Identity access management will continue to grow in scope and scale. Biometrics may be useful; however, it should not be solely relied upon for identification. Blockchain technology may be a better choice for those who want to control their identity. Ease-of-use for cloud-based offerings is driving the demand for single sign-on services. Expansion of the IoT requires scalable and reliable infrastructure to establish the identities of the billions of new IoT devices and manage them via a massive network.
Embrace the cloud because it is pervasive and continues to grow. Explore innovative applications of blockchain technology to develop new forms of digital identity management. Work with IAM solutions that may not yet be perfect, yet are flexible, governable, and scalable.