Ongoing Breaches

The number of breaches and data records reported every year as compromised shows no sign of letting up. The number of confirmed breaches covered by the Verizon Data Breach Report for 2021 rose to 5258 and for 2022 to 5212 compared to 3950 in 2020 and approximately 2000 from 2015 to 2019.ⁱⁱ A top target of cyberattacks is often credential theft, with the primary motive behind attacks being financial and the perpetrators frequently involved with organized crime groups. It’s important to remember that any statistics about security incidents and breaches depend on the events being discovered and voluntarily reported so these numbers may not represent the whole picture. A large breach can also skew the numbers from one year to the next. However, both common sense and the numbers reported each year indicate that the need for cybersecurity is not going away anytime soon, and identity management solutions that mitigate risk from credential theft can help minimize the damage of an attack.

Evolving Targets

The targets and methods by which stolen data is monetized have been evolving. As one industry or avenue of theft comes under attack, consumers and service providers implement mitigations, causing cybercriminals to pivot to easier targets. The financial industry was an early target, but as financial institutions implemented more defenses, the entertainment and retail industries came under increasing attack, often as a source for stolen credit card data. Recent years have seen increased attacks on healthcare and small/medium-sized businesses and a focus on credential theft as well as an increase in ransomware attacks.

With the introduction of an EMV microchip in credit cards, and the increasing use of multi-factor authentication in financial services, some hackers have shifted their focus to stealing identity data and creating new ways to monetize it. Fraudsters have used stolen identity data to obtain medical services, commit insurance fraud, apply for tax refunds, and even redeem loyalty club points. Hackers have successfully exploited vulnerabilities in the Signaling System 7 (SS7) system that allows interconnection between phone networks, in order to intercept SMS text messages commonly used for multi-factor authentication to protect access to financial accounts and other targets of value.ⁱⁱⁱ Malicious actors often seek and take advantage of undisclosed or unknown vulnerabilities which gives them the advantage of surprise against defenders. The constant adoption by attackers of new targets and techniques will require commensurate ongoing evolution in security defenses, including identity management mechanisms, to protect consumers and businesses.

Increasing Complexity

As the world becomes ever more connected, software systems are similarly becoming more interconnected and more complex. Greater integration and complexity increases the risk of a vulnerability, either within an individual component or in the interfaces between components. At the same time, identity information and other sensitive data is increasingly collected and shared between systems, putting it at risk when a vulnerability is found and exploited by hackers. Developers and administrators will need to continually adopt more effective solutions and practices to securely develop and manage large, highly integrated software systems.

Diversifying Motives

While early hackers often hacked into systems for entertainment and bragging rights, the motives for hackers have diversified over the years. Financial motives dominate today, with the 2022 Verizon Data Breach Report indicating that financial motives were behind well over 80% of the breaches studied.^iv Recent years have also seen attacks with other motives including hacktivism, industrial espionage, cyber espionage by nation states, election tampering for political gain, and cyberwarfare as a political tool or in support of physical warfare. The development of comprehensive threat models and mitigation plans will need to consider a widening array of actors and motives in addition to many new types of targets.

Homes and Businesses

Smart devices for homes and businesses offer many conveniences, but require security to prevent them from being used against their owners. Security cameras and baby monitors have been hacked to spy on people in their homes.^v Even smart dolls such as the My Friend Cayla doll and Furby, designed to interact with children, have been found to have significant privacy and security issues, being hackable via Bluetooth connection.^{vi, vii} Smart devices have also been used to enable attacks against other resources on the same network. A particularly eye-opening example is the hack of a network-attached sensor for an aquarium heater for a large fish tank in a Las Vegas casino lobby.^viii The sensor provided a conduit for hackers to infiltrate the casino’s network and exfiltrate data. Without adequate security, the Internet makes it possible for hackers anywhere in the world to leverage vulnerable network-attached devices, even innocuous-seeming fish tank heaters, for malicious purposes.

Cars

Cars now offer new infotainment systems with an increasing number of helpful services. Passengers can view movies and play video games. Drivers benefit from onboard navigation systems, and services like OnStar can provide communication, weather information, emergency assistance, and remote diagnostics.^ix Along with these valuable services, however, has come a new attack surface, and security researchers have demonstrated several exploits against it.

In July 2015, news broke of an attack against Jeep Cherokee where two security researchers demonstrated taking control of a car driving down a highway 10 miles away.^x By exploiting a vulnerability in the Uconnect system which controls the car’s entertainment system, they were able to send commands from their laptop to the car’s dashboard, steering, brakes, and transmission.^xi This incident was alarming by demonstrating the potential for a security vulnerability to be exploited to inflict physical harm on a car’s occupants. Since then, researchers have demonstrated additional vulnerabilities by compromising a Tesla key fob to steal a Tesla, unlocking and remotely starting cars with OnStar RemoteLink, and taking control of navigation systems in Volkswagen and Audi vehicles.^xii Cars and the services delivered to them will need to be designed with adequate security to protect the privacy and physical safety of occupants.

Medical Implants and Monitoring

A wide variety of medical devices help us treat chronic conditions and live fuller lives. Remote patient monitoring (RPM) technologies can be used for monitoring factors such as blood pressure and pulse, blood sugar levels for diabetes, and even heart function.^xiii Implanted cardiac devices, for example, connect to the heart and provide relief for several heart conditions including hearts that beat too slowly, too fast, or unevenly. A monitor often connects wirelessly to retrieve data from the device. Remote monitoring with implanted cardiac devices provides the ability for doctors to assess patients without physical visits and detect problems earlier. The technology designed to improve our health, however, could potentially be used against us if not adequately secured.

In March 2019, a security vulnerability was announced for Medtronic implantable cardiac devices (implantable cardioverter defibrillator).^xiv The devices rely on the Conexus protocol, which was not designed with any form of authentication, authorization, or encryption. Data was transmitted in the clear, potentially allowing an eavesdropper to gather information about a person’s condition. Most alarming, however, was the possibility that an attacker within 20 feet could reprogram the cardiac device. The small size of these devices means they may not have the memory or processing power to run some of the security protocols used in less constrained environments. Further innovation and education will be needed to design and deploy efficient but lightweight security protocols on extremely small capacity devices.

Robots

Robots and industrial automation technologies are being designed for many industries and offer promises of efficiency, accuracy, scale, and performing tasks in environments dangerous to humans. Robots have been designed for surveillance, monitoring, routine chores such as vacuuming, disaster response, education, entertainment, manufacturing, medical applications, autonomous mobility, and research.^xv The breadth of applications for which robots have already been designed is incredible. However, security researchers have also demonstrated security vulnerabilities in several types of robots.

Security research firm IOActive described a worrying list of security issues in robots in a paper about a recent investigation they conducted.^xvi They evaluated robots used in homes, businesses, and industry settings, and despite it being a limited study, they found almost 50 vulnerabilities, including inadequate authentication and authorization, allowing unauthorized access to robots as well as the ability to install software on the robots. Communications involving sensitive data were not secured, and encryption of data was either missing or improperly implemented. The devices were often not secure by default, and best practices such as changing default administrative passwords were difficult.

Given the likely widespread use of robots in the future, this should be fairly alarming. Microphones and cameras in robots can be taken over for cyber espionage purposes to steal personal information or proprietary corporate information. The security of a network can be threatened by vulnerable devices attached to the network, meaning inadequately secured robots could potentially provide a conduit for attackers. Robots could also be taken over and weaponized, disabled, or held for ransom. Significant damage could be done if robotic technology is not hardened.

Erosion of Perimeter Protection

The computing infrastructure used to deliver services to consumers and businesses alike has been moving from individual data centers to cloud services and involves logic running on myriad new types of devices and edge computing servers. At the same time, the employees involved in creating and managing such services are increasingly working from home or locations other than a corporate network. This has decreased the effectiveness of the security once provided by enterprise network perimeters. As a result, organizations have been moving toward architectures based on Zero Trust principles, making identity and access management services critical to protect the access to individual infrastructure components. Organizations utilizing many services will need efficient solutions to provision and manage identities and access privileges across a widening portfolio of services and devices.

The combination of ongoing threats, evolving targets, a widening circle of actors and motives, and the bypassing of traditional network perimeter protections result in an increased need for effective identity management. At the same time, we’re seeing an explosion in the number and types of entities which need an identity in order to securely participate on the Internet and access services.

Personal Agents

Virtual personal assistants, customer assistants, and employee assistants will become more capable and connected. Applications on smartphones can use virtual personal assistants such as Siri or Google Assistant through APIs, enabling users to access app features and shortcuts from the lock screen or in hands-free mode. Users will be able to go beyond having assistants do simple tasks like taking notes, setting alarms, and calling friends to enabling them to perform tasks in applications on their behalf, such as making purchases or sending payments. Concierge applications might use information about our habits and preferences to help with tasks like making dinner reservations or purchasing airline tickets. Without requiring our interaction, smart applications could help with routine chores like making preventive doctor appointments, regular purchases, or texting a friend with whom we have a meeting to let them know we’re running late. In corporate settings, virtual employee assistants could help with tasks such as scheduling meetings, diagnosing problems, or analyzing data. As virtual personal assistants act more autonomously, they will need to be authenticated and authorized just like a human user to ensure they perform authorized tasks and not those of a hacker. They’ll also need to be capable of authenticating the services with which they interact, to avoid disclosing sensitive information to incorrect parties.

Autonomous Vehicles

Autonomous vehicles will significantly change transportation, but lack of a driver will shift some identity requirements from drivers to other entities. Humans may need to identify and authenticate autonomous vehicles that give them a ride as part of mobility as a service. Entrance gates to secured facilities may need reliable mechanisms to authenticate autonomous delivery vehicles, rather than drivers, when goods are delivered. Smart cities may want to authenticate and monitor autonomous vehicles on bridges, in tunnels, or near critical infrastructure. Autonomous vehicles may even need to identify and authenticate each other and validate the integrity of software controlling a nearby car, especially in tight spaces or at high speeds. Just as some networks only allow managed devices with validated configuration to connect, cities or highways may want to only allow authenticated and properly secured autonomous vehicles in sensitive areas.

IoT Devices

The potential applications for Internet of Things (IoT) devices are enormous. Smart thermostats, cameras, TVs, lighting, appliances, toys, medical devices, and a fascinating array of data-collecting sensors are just a few examples. IoT devices that have an IP address with which to communicate on the Internet will also need to authenticate themselves to remote servers and use adequate transmission encryption before transferring data to protect sensitive data as well as the integrity of uploaded remote datasets. They will also need to authenticate requests coming from administrative applications to mitigate the risk of malicious commands and the upload of malware to the devices. Without identity management and security measures, IoT devices can potentially be used to spy on their environment and corrupt datasets or, worse, be hijacked or rendered inoperable for malicious purposes.

Robots

Robots will need identities for the same reason as other IoT devices. They will need to authenticate themselves to services with which they interact, and they will need to authenticate incoming requests to prevent the robot from being taken over for unauthorized purposes. Robots will, in general, have significantly more capabilities and processing power, and therefore the potential for how they can be turned to malicious purposes may be greater than with smaller, simpler IoT devices like sensors. In addition to being used for espionage, robots can potentially be taken over and weaponized to cause physical harm.

e-Identity

We expect to see more electronic identity initiatives around the world. Governments face the same pressures as businesses to deliver services more efficiently to distributed populations, which typically drives pursuit of online delivery for services. At the same time, many government services must be protected against fraud, which means their online delivery requires well-validated electronic identity information and stronger forms of authentication than simple passwords. This is likely to increase interest by governments in government-issued electronic identities (e-identity) or public-private sector collaboration for e-identities.

Several governments have already embarked on national e-identity initiatives. Estonia has a well-established e-identity program that issues a digital identity to citizens and residents and is used to streamline functions such as accessing government services, paying taxes, coordinating healthcare, and voting.^xvii Estonia is even working on expanding this to create a digital nation, offering select services to remote e-residents.^xviii Belgium has issued a national digital identity which can be used for identification, digital signature, and access with public services online.^xix A consortium of mobile phone network providers and banks in Belgium, called Belgian Mobile ID, have created a mobile application called itsme that enables those with a Belgian e-identity (eID) and mobile phone to register at participating websites, authenticate, confirm payment transactions, and digitally sign documents.^xx In yet another model, Sweden offers access to some public services via electronic identities issued by banks.^xxi

Electronic identity programs will face some adoption challenges. Cultural distrust of governments or the banking industry in some countries may hinder and slow e-identity initiatives. Privacy and security concerns with electronic identity schemes will also need to be addressed. The constitutional validity of India’s ambitious Aadhaar electronic identity program, for example, faced a lengthy Supreme Court challenge which hinged on security and privacy concerns.^xxii However, the need for governments to deliver public services efficiently and securely, the desire by some businesses to leverage more strongly validated identities, and the preference by citizens and customers to conduct more transactions online will likely drive continued efforts by governments and private sector consortiums for citizen/consumer-facing e-identities. In addition to validated identity information, such identities will need to support stronger forms of authentication.

Stronger Authentication

We will doubtless see increased adoption of stronger forms of authentication to mitigate the risks associated with static passwords. The W3C Web Authentication (webauthn) specification creates a more standardized level of abstraction between applications and specific authenticators. Developers will be able to implement authenticator-agnostic strong authentication, and users will gain the ability to use authenticators of their own choosing, whether hardware security tokens or biometric factors collected by their device. This standard is likely to facilitate the adoption of stronger forms of authentication and reduce the use of passwords as a sole authentication factor.

Solutions for Smaller Devices

We anticipate ongoing evolution in solutions and protocols to support smaller, constrained IoT devices that need protections such as authentication, authorization, message integrity validation, and encryption. Devices with small amounts of memory and which need to minimize power consumption to conserve battery life need protocols that are lightweight and use techniques such as minimizing round trips and overhead as well as using cryptographic algorithms that enable the use of smaller keys and/or certificates. Entities which need to validate the likes of security messages and certificates depend on having accurate time as well as solutions for detecting certificate revocations, but existing solutions may not work on constrained devices. The Constrained Application Protocol (CoAP),^xxiii Transport Layer Security (TLS) 1.3,^xxiv and Datagram Transport Layer Security (DTLS) 1.3^xxv may prove useful for solutions involving such devices.

Asynchronous Online Interaction

With digital transformation driving more services and interactions online, we are likely to see innovation and AI driving more autonomous and asynchronous interaction between digital services. Users may want to facilitate automation by authorizing third-party entities to perform tasks on their behalf or to access their data. For example, when applying for a loan online, a lender might require information about an applicant’s income, credit score, ratio of debt to income, past tax returns, and credit card statements. An online lender will want to obtain information electronically for efficiency and to facilitate the use of artificial intelligence in evaluating applicant data. A user could authorize the loan site to obtain information about their salary from an employer, data on their credit history from a credit reporting agency, and perhaps credit purchase history from their credit card company, but such checks would likely occur asynchronously, triggered by a cascade of online transactions once the applicant submits their request.

Specifications such as the “User Managed Access grant for OAuth 2.0”^xxvi from the Kantara Initiative^xxvii may contribute to making such use cases feasible, in parallel with efforts to explore the risk, liability, and privacy rights applicable for such scenarios. This standard allows a user to authorize access to their content to a third-party while decoupling the timing of the authorization from the access request. A third party can initiate a request to a resource server without the user’s synchronous involvement. The third party interacts with the authorization server to obtain claims to satisfy access policy specified by the owner of the requested data. Solutions for autonomous and asynchronous interaction will require work on technical protocols and products as well as work on business, social, and legal feasibility, and identity and access management will be an important enabler.

Easier Adoption

We need better resources created to make correct implementation of identity management easier for developers. The specifications we have discussed total over 800 pages. This is a lot for developers to absorb especially when you consider the number of specifications involved, requiring developers to go back and forth between multiple documents to coalesce advice and figure out how to apply the technology correctly in their application and environment. Libraries will be needed that are well documented, support a good user experience, and help developers implement the protocols/frameworks correctly. To be successful, this will require collaboration between parties creating or promoting specifications, platform/device vendors, user agent vendors (for devices with browsers or other user agents), security analysts, and those creating libraries and SDKs. A sentiment from John Dickinson’s 1768 “The Liberty Song” says it best: “By uniting we stand, by dividing we fall.”^xxviii

Always Look Forward

During our years of working with customers, engaging with product and solutions teams, and building identity solutions for projects, we have come to appreciate that what starts with just a simple login box can quickly grow into a primary line of defense between your application and threat actors, yet can also serve as a key driver for customer conversion.

Authenticating a user today requires validating their credentials and additional factors, intelligently assessing risk associated with the authentication transaction, implementing password brute force attack protection, and more, but the sign-in box and process is also the leading conversion influencer. A large number of user abandonments in the online sales process happen at the login box for online retail sites.

Balancing the needs of security and user experience can be an accelerator for business value, but may cause tremendous overhead in technical implementation if not done efficiently and well. Being able to look ahead and develop identity features for your application as a service that can be worked on independently from your application allows you to easily integrate and expand the identity service to meet your future requirements. You may also be able to offload or even integrate with a vendor solution to provide risk-based security assessment.

Open standards play a very large role in being able to realize this vision. Following an open standard may seem daunting at first, but as we learned in Chapter 10, implementing standards-based identity management for an application can be simple and straightforward. Open source libraries and vendor-provided libraries are readily available for most of your application requirements. Leveraging standards enables you to more easily adopt open source and third-party solutions that can provide helpful features, make it easier to adapt to future trends, and allow you to focus on innovation for your application’s core purpose.

Usability Is Important

Designing or deploying a complex security mechanism can be a satisfying intellectual challenge. You should ensure, however, that the resulting system can be easily used and understood by mere mortals. Users who are annoyed by overly cumbersome security measures will seek ways to bypass them. Users who do not adequately understand security technology can inadvertently render it useless through misconfiguration or erroneous usage. Make it easy for users to understand how to do the right thing and conduct some usability testing with target users to identify any usability glitches before a big deployment.

Validation Is Critical

You’ve probably heard the phrase “Garbage In, Garbage Out,” and this certainly applies to security. Security decisions depend upon validated information as input. For this reason, be sure to correctly validate all tokens before relying upon the information they contain, and validate all input of identity and user profile attributes used in access control decisions or communication to users.

Logout Takes Time

In environments where a user may have sessions in many components or tiers of an architecture, designing, implementing, and testing logout can take longer than login. Make sure to understand the challenges involved in logout as well as session termination and allow adequate time in your project to make this feature work correctly.

Monitor Trends and Vulnerabilities

The only thing constant is change. Keep an eye on the current security guidance for the protocols, technologies, and products you use to stay aligned with best practices as they evolve. Read security industry reports, such as the Verizon Data Breach Investigations Report, to stay abreast of trends in attacks, common vulnerabilities, and how to minimize your risk. Make sure to also monitor nonsecurity trends impacting your target users, industry, or market, as they may give rise to new security challenges or requirements. Lastly, to facilitate your ability to respond to changes, be sure to allocate budget and resources for responding to unexpected vulnerabilities/incidents as well as proactively upgrading to adopt new best practices.

Key Points