With digitalization expanding corporate perimeters, passwordless authentication, phishing resistance, and decentralized identity technologies are now vital for enhanced cybersecurity and productivity
When the COVID-19 pandemic spurred the accelerated migration to digital-first strategies, cybercriminals and scammers exploited the gaps in identity and access management to break into networks of all levels of sophistication.
Subsequently, this led to increasing adoption of Customer Identity and Access Management (CIAM) solutions to expand control over the skyrocketing numbers of digital identities being created and weeded in corporate environments.
According to Bill Hustad, Senior Vice President of Global Partners and Alliances, Okta, surveys show 56% of digital-first leaders in the Asia Pacific region have already deployed CIAM, and another 32% of respondents were planning deployment in the next 12–24 months.
Hustad shares with CybersecAsia.net his perspectives of the region’s tech investment and cybersecurity landscape in 2023:
CybersecAsia: What are the key priorities for businesses in APAC when it comes to technology investment?
Bill Hustad (BH): As we emerge from the pandemic, we are seeing many APAC organizations trying to do more with less, trying to adopt the Cloud, and trying to be more secure. We are also seeing many shift to using digital as their primary method for engaging customers and closing deals.
In the area of identity specifically, there are technologies that let users log into your applications with minimal friction. On top of the added security the customer- and employee- experience is enhanced, and with this comes better stakeholder relations and better business.
In the government sector, more agencies are now issuing mandates around security, both in terms of protecting citizens, and in securing inter-agency communications. More governments are driving digital programs to enable their staff to work from home to service citizens, and identity — in terms of both workforce- and customer- identity — is central to this capability.
The bottom line is that APAC organizations need to invest sufficiently in digital technologies to establish a foundation that is resilient to disruptions. Specifically for identity, they should consider passwordless authentication, phishing resistance, and decentralized identity technologies. For greater scale, agility and cost-effectiveness, these technologies should be based out of the Cloud as far as possible.
CybersecAsia: What are the top challenges impacting organizations in the region in meeting the identity security and digitalization needs of a post-COVID-19 phase?
BH: In their identity implementations many APAC organizations grapple with the tension between security, privacy, and user experience.
Conventional wisdom tells us that you can make an application super secure yet very inconvenient to use. Or you can make it super convenient but at the cost of reduced security or privacy.
This is a false choice. Modern technologies can improve the overall user experience and maintain security at the same time while enabling application builders to focus on what is most important: innovating for their customers.
Today’s identity management approach should be to let users securely move between technologies with fewer passwords while easing the integration burden on developers.
For instance, the right CIAM solution can help organizations streamline registration and login across any device, stack, or platform to achieve higher customer acquisition and retention; a better experience; and a fuller view of users. From social login and progressive profiling, to advanced security features like Adaptive Multi-factor Authentication (MFA), digital teams investing in the right solutions can have everything they need to increase revenue through new and repeat customers, without added security risks.
CybersecAsia: What if an organization invests heavily in digitalization without a frictionless digital identity and security infrastructure in place?
BH: Organizations that fail to provide adequate protection for personal and corporate information are likely to fall prey to cyberattacks. The financial losses from data theft and regulatory penalties are just the short-term consequences: the long-term damage to reputation and brand trust can be impossible to fully recover from.
From a vulnerability standpoint modern attacks make all enterprise applications critical. With access to applications being requested from both inside and outside the enterprise network, all business apps become subject to cyber threats. Bad actors are capitalizing on this vulnerability through phishing and social engineering attacks, and internal users with malicious intent have the opportunity to misuse their privileges and compromise corporate data. This becomes an authorization issue, where users are not necessarily being given the right level of access. To get ahead of this issue, enterprises need to have robust identity management to optimize authentication and authorization in a seamless and secure way.
Many security threats begin with the same weaknesses: user accounts. And that includes the credentials and login policies that are supposed to protect them. With proper authentication, overall security improves, and organizations can ward off common attacks like phishing, spear phishing, credential stuffing, password spraying, and man-in-the-middle attacks effectively and with minimal resources.
CybersecAsia: As 2023 gets off to a rocky start in terms of geopolitical and cybersecurity risks, what are your predictions for CIAM and IT trends in general?
BH: In the wake of continuing cybersecurity events, including recent ones at Uber and Twilio, we are seeing growing interest from APAC organizations in pivoting to online authentication mechanisms that offer greater resistance to phishing attacks.
This makes sense because credential theft remains the primary means by which attackers gain unauthorized access to systems. According to the not-for-profit Anti-Phishing Working Group, Q1 2022 saw the highest rate of phishing attacks on record, with financial services and cloud service providers being targeted the most often.
So, a key emerging trend for 2023 is the demand for phishing resistant authentication, or authenticators that can withstand real-time, adversary-in-the-middle (AiTM) attacks. Phishing resistance requires that the domain of the website a user is signing in to be tied to his authenticator, to ensure it will not issue his credentials to a fake phishing web page. Organizations can be a lot safer if they limit all user authentication to phishing resistant factors. They can go as far as doing away with all passwords and login pages.
Okta is also expecting more APAC organizations in 2023 to move to solve the inherent risks posed by standing privileges, where privileged users have standing access to critical infrastructure and resources. Such arrangements create more security vulnerabilities because they extend access to users who may no longer require it, and their user credentials can then become targeted assets for threat actors.
We have seen many attacks that have their origins in these kinds of standing privileges, and the ability to solve for it through a single unified solution is a pretty big departure from how the world has traditionally worked. Integrating identity governance and administration (IGA) and privileged access manager (PAM) capabilities with identity and access management (IAM) ensures that IT has more power and control over access management without compromising on security or user experience. In the coming year, more APAC enterprises will invest to deal with this critical issue.
CybersecAsia.net thanks Bill for his objective insights on CIAM.