Of bots, humans and passwords

Technology is often described as the great leveller; it has enabled organisations large and small, as well as consumers, to do almost anything from anywhere, at any time. Yet as our reliance on it grows, so does the potential for hackers to exploit vulnerabilities in that same technology.

In fact, thanks to increasing cloud capabilities and mobile technology, enterprise attack surfaces have rapidly expanded, and are no longer confined to local networks. According to new research from Thales, almost half (49%) of businesses believe cloud apps – which are becoming increasingly crucial in day-to-day business operations – make them a target for cyberattacks.

Fortunately, the security industry is continuing to adapt to these rising threats, becoming more proactive in their techniques and helping to drive innovation in order to thwart the attacker’s plans. Case in point: Based on the latest IDC Worldwide Semiannual Security Spending Guide, APeJ spending on security-related hardware, software, and services will reach US$16 billion this year, an increase of 20% over previous year.

What’s more, with EU’s General Data Protection Regulation (GDPR) coming into force last year and the potential reputational damages of a security breach, data protection and the reputational and financial risks associated with it are now at the forefront of organisations’ minds.

An identity thief lurks in the shadows

One area which has taken a particular focus after a raft of credential-based attacks is identity and access management (IAM). Composed of two elements, IAM technologies are responsible for both creating and managing identities as well as ensuring identities within an organisation access resources and applications with the appropriate level of security.

For example, when new employees join a company, the identity management process will create those employees’ digital identities in the system, issue them with a password and determine which applications they need to do their job. After this, the access management system validates the users’ credentials when they log into their apps, and ensure that the appropriate access policy is applied.

However, as the sophistication of cyberattacks grows and disruptive technologies such as artificial intelligence (AI) begin influencing method of attacks, what does the future hold for IAM?

Passwords: a hacker’s dream

From Single Sign On (SSO) and biometrics to AI and tokenisation, the security industry is continuing to pursue new ways to improve access management. However, one thing that remains at the heart of most security practices implemented within organisations are usernames and passwords. In fact, consumers today have on average 90 online accounts, and to make their digital lives simpler, 89% are using the same password variations for everything.

However, the downside of this is that once hackers have a known email and password combination, they are able to programme bots which attempt to force their way into potentially tens of thousands of online and business apps.

To secure cloud-based or online apps, 75% of organisations we spoke to in Thales’ 2019 Access Management Index already rely on access management to secure their external users’ logins to online corporate resources. In particular, two-factor authentication is the most likely (58%) tool to be seen as effective at protecting cloud and web-based apps.

However, while access technologies such as SSO and two-factor authentication are reducing the success of these attacks, new technologies are posing a risk. Soon hackers will be able to create machine learning bots which can mimic user behaviours, making it harder than ever for security professionals to understand whether enterprise log-in attempts are genuine or those of malicious bots. Worse, as quantum technology approaches, traditional encryption will no longer be fit for purpose, meaning that access management needs to be at the forefront of every organisation’s security strategy in order to protect the data within.

Is machine learning the answer?

Thankfully, the security industry is using this same machine learning technology to keep up with these emerging threats. The 2019 Gartner CIO Agenda survey revealed that 49% of APAC CIOs have already deployed AI technology or deployment is in short-term planning. As bots become capable of mimicking human behaviour, solutions need to begin validating users with more than just log-in details – they need to be adaptive.

Traditionally, authentication has been a one-time-only decision based on the credentials that the user presented. While this protects networks from the majority of current malicious attacks, with machine learning this will eventually lead to easy, undetected account takeovers. Access management technologies now need to be able to track user behaviours to provide continuous authentication and authorisation.

To determine if a user is who they claim to be, the site or system needs to read signals from the user’s interaction, contextual and navigational activity to understand what constitutes ‘normal’ behaviour for a certain user. This allows it to then detect and alert on any behaviour that deviates from this. In short, if a user logs in from Singapore, and types in a certain manner, then a log-in attempt from Hong Kong with a mechanical typing style is likely to be malicious – even if the credentials are correct. If the behaviours point to fraud, the access control system should terminate the session or require additional step-up authentication from the user.

As the race to master AI for both malicious and protective purposes increases, it is clear that access technologies are at the forefront of keeping businesses secure. And it is not just AI that is set to bolster these technologies – biometric access control is set to help support organisations in highly regulated industries such as defence contractors and government offices.

With adaptive access management technologies and the right access policies in place, users will not be impeded by security. The log-in process will be based on the intelligent assessment, enforcement and monitoring of access policies – providing a hassle-free and secure user experience.