Whether for personal use or accessing your corporate network, authentication and authorisation are two critical concepts in access control. At times confused with authorisation, authentication is the process of verifying the identity of an entity before access or authorisation is given.
Authentication may involve the use of passwords, access tokens, and biometric verification while authorization uses processes like Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).
With all the innovations placed around authentication and authorisation, why do systems still get hacked? And as more organisations move to the cloud, what can we expect from these two facets of access control in the years ahead?
Jayavignesh (Jay) Reddy, a senior IAM evangelist for ManageEngine, says enterprises are at a historical low when it comes to trust.
“If you look at it there is no algorithm out there that you can write to detect the truth when it comes to human beings.”
He explained that cybersecurity is moving from being more machine-centric to being very human-centric. “There is a whole load of disinformation, misinformation, fragmentation and what not out there,” he continued. “The biggest challenge is to try and simplify this equation when it comes to the cybersecurity community to have a single source of truth.”
He opined that the best way to go forward is the transparency of processes, ensuring that we have reduced the friction that users have today. “The biggest issue that we have in hand right now is to be able to fool-proof security without compromising the user experience. Hope that answers your question,” he added.
How has authentication (technology and practices) evolved during the pandemic?
Jay Reddy: Before the pandemic, we were probably okay with our traditional network security models. Now enterprises are taking steps to move away from the perimeter because identities are decentralised and all over the place.
"There is a lot of talk going on about how to make it (authentication) passwordless, and the whole authentication experience more streamlined, effective, and frictionless. Implementation of zero-trust has been the single and most important role of security operation teams across the world."
Jay Reddy
To sum it up, the pandemic has moved the dial and triggered the thought of authentication being seamless for genuine users being stringent for malicious users.
How CISOs and CIOs position authentication as an enabler for digital business?
Jay Reddy: With multiple stakeholders involved, different business processes to cater to and all these different systems out there running on the cloud, the imperative is to make authentication foolproof.
This is the only goal with which CISOs and CTOs will work forward. This whole pandemic-powered digital transformation has relayed that information across other divisions of the company, making authentication a good sell, probably an easy sell for CIOs and CISOs right now.
Some suggest that passwords be dropped altogether. Is this a good idea in the current state of technology?
Jay Reddy: The one place where both businesses and consumers agree is login security. Consumers want to trust the apps that they are using or be able to hand over their sensitive and personal information to the vendor. For businesses, it is about keeping the information safe.
If you were to ask me is passwordless going to be the future? Yes, passwordless is going to be the future and passwords can be dropped altogether. But if you ask me, are we ready right away? The answer is NO.
It is going to take us a few more years to get there because as we speak, we see big names in tech coming together, probably as part of the FIDO Alliance, like Apple, Google all of them coming together to make one common way of authenticating based on devices or how do you go forward with passwordless.
That's a positive sign and passwordless is going to be the future but it is going to be a little bit delayed in my opinion.
Do you see zero trust as changing the landscape of authentication?
Jay Reddy: Yes. With the perimeter dissolving, it is an obvious incremental addition to what we've been doing all along. Zero-trust is more of a security strategy that makes us question our fundamental beliefs of trust all along.
With the whole zero-trust making momentum, authentication is also changing and one trend that we are observing s UEBA (User Entity Behaviour Analytics) taking centre stage for any authentication in the future. That's where it is headed.
How do you see the future of authentication evolving?
Jay Reddy: For anybody to get UEBA to work, machine learning and AI (Artificial Intelligence) become very prominent in that piece of technology. AI will be used to assist and weigh on individual factors like login attempts with a risk scenario.
The key benefit in this whole authentication powered by AI will be this mould that we have been trying to make. Authentication compromises user experience, and AI will make the user experience essentially much smoother and will give them easy instant access based on the context. If they are an attacker, it is going to stop them from getting into your systems, that's how I see it.
Click on the PodChat player to listen to Reddy share his perspective on the future of authentication.
- What is the biggest issue influencing/impacting authentication?
- How has authentication (technology and practices) evolved during the pandemic?
- How CISOs and CIOs position authentication as an enabler for digital business?
- Some suggest that passwords be dropped altogether. Is this a good idea in the current state of technology?
- Do you see zero trust as changing the landscape of authentication?
- Our topic is the future of authentication. How do you see the future of authentication evolving?