January can’t go by without another set of prediction blogs coming our way. Be that for lifestyle, how to lose weight, how to gain weight, how to change our lives and so on. I thought I would join the band wagon and jot down what I think will be the top 5 challenges facing organisations from a security perspective this year. If I’m being diligent enough, I may even review it come December (only if I’m right of course…).
Customer Identity Management Will Keep CIO’s Awake at Night
Many organisations are going through digital transformation processes. Be that public sector departments wanting to streamline areas such as taxation, driving license management or health care, through to private sector organisations looking to reduce costs or open new market opportunities.
Digital initiatives are everywhere. Don’t believe me? Check out how many CDO (Chief Digital Officers) now exist on LinkedIn – over 3000 in the UK alone. These new approaches to product and service delivery, require a strong hold on the identity and access management requirements of customers. Customer registration, authentication, two-factor authentication and device finger printing, are just a few of the topics hitting the to do list of many CISO’s and CIO’s – all services that suddenly need rolling out to potentially millions of end users. Big scale and big headaches will result, if a modular and scalable identity platform isn’t available.
Water Cooler Chat Will Be All About Device Security and Internet of Things Madness
By now, everyone has an automated toilet, with a mood influenced flush, that instantly publishes the meta data to Twitter right? Perhaps not, but there is no doubting, that the Internet of Things landscape is maturing rapidly and the identity of things (shameless blog plug) is going to be a huge area for device manufacturers, services providers and end users.
IoT systems and devices, have all been about communications and interoperability so far. Adding communications services to low power and low capacity devices brings new opportunities for things like home automation, smart cities, smart cars and more. However, as these devices collect, store and distribute data to brokers and cloud services, data privacy becomes a huge concern, especially if the data contains production plant statistics or personal health information. The devices, and the ecosystem that supports the delivery of those devices, will need to be coated in a meta layer of security, from registration and authentication services, through to lightweight encryption and signing technology.
Passwords on the Mobile Will Disappear (Ok not entirely..)
Passwords are dead. Long live the passwords. I think this topic has been the most written about in blog history. Ever. Ok, perhaps not quite ever, but the number of column inches dedicated to the next big thing in password-less authentication / how passwords can’t die / how passwords will die is quite remarkable. One thing for sure, is that the number of users accessing web content and apps via mobile devices (be that phones or tablets) is continuing to rise and outstrip the need for desktops significantly. What that does of course, is increase the desire for less reliance on password based authentication on mobile tech. It’s simply too inconvenient and too insecure. As mobile devices build out easier to use secure elements, the storage of crypto materials, session tokens, refresh tokens and other authentication data, will allow for the proliferation of protocols such as OAuth2 or crypto related authentication schemes, to take precedence over the traditional username and password approach.
Employees Will Want Access to More Cloud Services
Many organisations are at a cross roads when it comes to cloud services. Many want to embrace new, as-a-service based components such as HR, payroll, collaboration and office automation systems. They are often very simple to register and pay for, simple to set up and allow the organisation to concentrate on their key competency areas. This does however, bring strong challenges with regards to employee provisioning and single sign on to external services. Employees do not want to have to remember new and different usernames and passwords to access Google Apps, Salesforce or HR Factors. Single sign on is mandatory for user convenience, as is the ability to create and remove users in a streamlined and automated fashion, using provisioning systems deeply integrated to HR rules and business logic. These new requirements can put strain on already buckling legacy provisioning and access management systems, that were often conceived and implemented long before the ‘cloud’ was cool.
Consumers Will Want More Control and Transparency Over Their Data
This last one is interesting. I don’t think this is suddenly a new requirement or concern for 2015. I think it has always been the case, that consumers are very keen to keep their on line identity secure, their banking details safe and their national insurance or social security number locked up. However, as more and more devices require and process our personal data, end users are becoming more enlightened with regards to how their data is used and stored.
The Internet of Things takes this to a new level, with many more services, apps and devices wanting to consume, process and potentially redistribute personal data. End users want to have a clear, simple and transparent method of not only sharing data, but also having the ability to revoke previously granted access to personal data. We are probably some way off this being a reality, but protocols such as OAuth2 and User Managed Access can go some way to help fulfil these newer requirements.
By Simon Moffatt
This blog post was first published @ www.infosecprofessional.com, included here with permission.