This post was originally published on Forbes.
Identity has always been an important factor in information security. After all, knowing who you are dealing with is half the challenge of making sure only the right people have access to sensitive information and resources. In the past few years, the role of identity in security has grown significantly as companies relinquish the control of the walled garden for the cloud, software as a service (SaaS) applications and flexible access. Identity has become “the new perimeter.”
It’s fitting, then, that as one of the largest cybersecurity events of the year, RSA Conference 2019 has an impressive lineup of identity-related subjects, with talks and workshops covering the most important topics and trends in the industry.
Here are three identity ideas that are getting much-deserved attention at the upcoming event.
Eliminating The Password Breach
Authentication is the cornerstone of digital identity. This is why passwords and other authentication data were targeted in nearly 45% of cyberattacks and breaches in 2017, the second-highest data type after email addresses. Large, centralized databases of passwords are a huge liability for companies and represent a major prize for attackers, incentivizing the mass-scale data breaches that have become commonplace.
Attackers know that passwords are the keys to the kingdom and can be used not only to escalate an attack within a target network but can also be carried over to other networks where users may have reused the same or similar passwords. Massive collections or “combo lists” -- like the one recently found with over 21 million passwords -- are compiled and sold on the dark web to be used in account takeover attacks.
New technologies that move away from this model of centralized authentication and password storage will be highlighted at RSA this year. One example is the cryptographic method known as zero-knowledge proofs (ZKP). A ZKP allows users to demonstrate they know a particular authentication secret (such as a password) without ever having to share it with the verifying party. As a result, there is no need to store passwords anywhere.
In their RSA session on zero knowledge authentication, Rajan Behal and Dr. Karla Clarke of KPMG promise to explain just how ZKP can be used to “give back consumers the control of their personal data.”
Building For Zero Trust
The move to a more distributed IT environment requires new concepts and frameworks for identity and trust in the enterprise. One of these topics that will receive plenty of attention at this year’s RSA Conference is the zero trust security model.
Zero trust, introduced by Forrester Research analyst John Kindervag in 2010, is essentially the “identity is the new perimeter” theory in practice (and although they have similar names, zero trust is not related to zero-knowledge cryptography). At its core, the zero trust model simply states that network traffic and requests should not be trusted automatically just because they come from within your perimeter or a trusted endpoint. Everyone attempting to access a protected resource must be authenticated and authorized.
This approach aims to make it harder for attackers to move through a network and escalate access. It also shifts the burden of security from the firewall to the identity and access management (IAM) processes. Strong multifactor authentication, real-time adaptive risk assessment and standards-based single sign-on are some of the key zero trust building blocks that you can expect to hear about at RSA this year.
Biometrics are gaining rapid adoption as one of those few developments that can enhance security while also improving the user experience. However, like any exciting new tech, there is plenty of hype and oversimplification about just what security benefits biometrics can provide. That likely explains why the RSA agenda includes several sessions that look at how biometric authentication can be hacked, spoofed or outsmarted by artificial intelligence (AI).
Unlike a password, which (ideally) exists only in your head, biometric factors like your thumbprint, retina pattern or facial features are inherently hard to hide. This means they are susceptible to being copied and used to trick sensors. Perhaps more concerning is the fact that, unlike a password, you can’t change your biometrics if someone manages to steal and replicate them.
That isn’t to say that biometrics should be avoided. Every security measure has its own strengths and weaknesses. It is important to be aware of these factors so that technology like biometric authentication can be combined and layered with other defenses that fill in the gaps.
With around 50,000 attendees and hundreds of exhibiting companies, RSA can be an overwhelming experience. Finding your way between the sessions can be a greater challenge than selecting which ones to attend! Hopefully, this overview of some of the current topics in identity and security will help you take advantage of the world-class talent that will be gathering to share their vision and experience.
And if you’re going to RSA 2019, feel free to reach out to me to connect while there!