Condatis: The evolution of identity
When services first went digital, they were protected with minimal effort. With the internet boom, hackers emerged. Using a smokescreen to fend off the baddies was no longer a feasible option, which means securing customer usernames, passwords, and other data was the organisation's responsibility. Where did they put that information? in databases. Though the industry didn't know it at the time, this wasn't the best way to protect customers.
In the past, credentials were sent clear over the wire. If a particular service wasn't well-protected from man-in-the-middle attacks, (a lot weren’t) and someone listening in could see and steal user credentials.
Thus, the tale of passwords begins – the dreaded Ps became an attack route. It isn't a secret: we aren't very good at selecting our passwords. We often use the same ones for multiple sites, stored in their databases, stored in cleartext. Credential gets compromised = low hanging fruit and an easy target to try these same passwords elsewhere.
Web traffic encryption became the default standard to fix this security issue. HTTPS helps prevent man-in-the-middle by making it more difficult for bad actors to tamper with user and site communications.
Organisations stopped storing passwords in cleartext, and companies started protecting databases by salting passwords and hashing algorithms, so they couldn't see or guess passwords anymore.
Should businesses be responsible for managing and storing credentials in the first place? It's a lot of personally identifiable information for a business to hold, and the number of high-profile hacks shows many companies aren't very good at keeping our data safe. To ease the pressure, companies use trusted services such as Microsoft Azure Active Directory to take the burden of keeping external and internal identity credentials safe. Businesses can take advantage of Microsoft investment in securing AAD and the threat analytics that comes with operating identity systems on a global scale.
Today credentials remain a weak point. Remembering different, complex credentials for each service we use to date is hard. How can the industry make this experience better? One answer is multi-factor authentication (MFA). With MFA, you replace your credential with something you know (a username and password) with something you have, like a mobile device or physical security token, and something you are - i.e., a biometric fingerprint/facial recognition. We now secure our credentials with the support of authenticator apps like Windows Hello and Apple FaceID, for example. Passwordless technologies make identity secure and straightforward, but how do we go one step further?
Securing credentials and optimising onboarding with decentralised identity
How can identity technology help us optimise internal services, such as ensuring our employees are who they claim to be and have the clearance to access sensitive areas on our premises? How do we know someone has carried out their specialist training and is the right one for the job (think brain surgery or handling radioactive waste)? The answer is and will continue to be: Decentralised identity and verifiable credentials. Industry experts at Gartner predict "...a true global, portable, decentralized identity standard will emerge in the market by 2024, to address business, personal, social and societal, and identity-invisible use cases.".
We've seen a great example of simplifying staff onboarding and movement between siloed departments and sites with verifiable credentials at the NHS. The solution has made it to the 2021 HSJ 'Connecting Services and Information' Award shortlist. In the identity ecosystem, Microsoft and partners like Condatis are actively engaging clients across healthcare, higher education, utilities, hospitality, and more to implement verifiable credentials to extend their Azure Active Directory capabilities.
Extend your IAM capabilities and accelerate your transformation with Condatis.
To read more from #techUKSmarterState Week check out our landing page here.