How to secure the identity perimeter and prepare for AI agents

What does ‘identity is the new perimeter’ mean?

The phrase was coined about a decade ago by Dan Hendrick, who at the time was at GE, and that idea has been subsequently validated.

Adversaries don’t break our cryptography; they break our identity. Most attacks originate through weaknesses in identity controls, where passwords or secrets can be stolen and replayed because they are not tightly bound to their owner.

As an industry, we’ve been fortifying the authentication part of the identity controls. Consequently, authentication is now the strong front door, so adversaries are finding weaknesses in the back and side doors.

Major points of weakness are now onboarding and the call centre, as seen in the Scattered Spider attacks. This lack of mature, modern verification is being abused in account recovery processes like password resets. Invariably, the weakest links in the identity security controls are the ones that are being abused.

The current state of the art for onboarding or account recovery is biometrics combined with the verification of a government-issued physical ID, such as a driver’s licence or a passport. That’s certainly not infallible, due to impersonation or fraudulent documents, but it is harder than stealing a password and more secure than a question-and-answer process, as data breaches have exposed the personal information historically used for knowledge-based authentication.

Government entities that today issue your citizenship or other forms of societal identification will issue digital versions that will be used to establish trust in new relationships

The industry is therefore moving quickly to document-based verification services, and that's a service that Ping offers.

Now, you can combine that with other signals, which collectively are hard for an adversary to amass and replay. We can glean signals from the device itself, the SIM, and the longevity of the associated email address and phone number. All of those are indicators of possible risk in the remote verification process.

During the pandemic, there was a focus on two-factor or multi-factor authentication. Now, there's a rush to improve identity verification in remote digital scenarios, via both call centres and web and mobile channels. There are also emerging privacy-preserving biometric techniques that can be used in onboarding and, more importantly, during account recovery. Their development has been spurred by the threat of AI video and voice fakes.

The state of the art is physical document-based verification, but this will give way to digital credential verification, which will be even harder to spoof as there will be no physical document for AI to recreate.

Those digital credentials will be issued by institutions we trust. Government entities that today issue your citizenship or other forms of societal identification will issue digital versions that will be used to establish trust in new relationships. Replacing a physical credential that has to be converted to a digital form with a digital credential that can be verified digitally removes a step that’s possibly vulnerable.

Will this reduce the impact of data breaches, as an organisation would no longer need to retain the data it used to establish an individual’s identity?

Absolutely. The emerging technologies and standards we refer to as decentralised identity centre on the notion of a digital wallet containing verifiable digital credentials, such as a digital driver’s licence or passport, or any attribute a trusted third party can attest to.

These are all identity proofs of different natures – perhaps of my real name and address, that I'm a million-miler on United (which holds some credence if I were signing up for other airlines), that I'm an employee of a particular company, or that I have an account at a particular bank.

If you think about how we interact digitally with organisations, the individual today has no way to carry digitally verifiable proofs about themselves on their person. Decentralised identity changes that.

Suddenly, there is a way for an organisation like an employer to issue a digital credential that says you’re an employee.

Now, as an employee, if you are asked, “Are you an employee of so-and-so?”, you can share that digital credential. It can be verified in real time, and here’s the key: the verifying organisation doesn't need to store the credential. They can verify its credibility and that you are the rightful holder, without having to store the underlying information that would otherwise become a honeypot for attackers.

It also supports selective disclosure – for example, proving that you are over 21 without disclosing your date of birth or name.

Has it previously been too hard to have a rigorous enforcement of identity across a range of systems?

Yes, it is inherently difficult. We have hybrid infrastructure – some assets and data in the cloud, some on-premises, some legacy, some custom – and it’s not trivial to connect them all to a well-architected identity control plane. This plane must cover all use cases – authentication, identity management, governance, privileged access – and be agile enough to deal with a changing threat landscape. It must also be able to incorporate real-time fraud and risk signals into its decision-making, with centralised policies for conditional access control.

Creating a ubiquitous, modern, sophisticated identity security control plane is serious business. And doing that everywhere in a uniform way is a challenge for the industry and for society at large.

This is where regulation has a role. Companies in critical, regulated industries can be forced to step up to protect the public if things are otherwise moving too slowly. Regulation steps in on behalf of the public to force companies to invest more, not just to protect themselves from ransomware, but ultimately to protect the customers and consumers who trust those enterprises to maintain their privacy and security. It ensures that the assets being stewarded by those organisations are protected appropriately.

How do identity and AI interact?

We see the AI conversation in two categories. The first is about leveraging AI to automate certain aspects of identity management. The process of maintaining a clean state of identity within large organisations involves a lot of repetitive work that can be automated with AI. We refer to that as “AI for identity”.

The other side of the equation is “identity for AI” – the notion that AI and agents acting on our behalf will need access to information. That access needs to be well-scoped and secured: you don't want agents roaming around our networks accessing data they should not have access to.

You can't secure what you can't identify, so agents need to have identities. Their actions need to be recorded in the same way human actions are recorded. They should only be authorised for appropriate access: principles of least privilege need to apply to agents as they do to humans.

There are scenarios where you don't want an agent taking an action on your behalf without explicit authorisation. For example, I might authorise an agent to research a product for me, but I might not want it to purchase the product without my explicit consent.

I wouldn't want my agent to have access to your information, and vice versa. So, agents in some ways need to inherit the access rights and privileges of their custodian. If an agent buys something on Amazon on my behalf, but the relationship between that agent and my authorisation is not explicit, I could say, “I know my agent bought it, but I didn't authorise that.” Then who does Amazon pursue for a remedy? The agent or me? The liability chain must be well-formed, which ultimately means that all these agents need to be authenticated and authorised.

Trust has been weaponised. Wherever we have trust in our systems, that’s where adversaries attack

In some cases, we need good governance of the agents. We need to ensure that agents can't collude or lose track of their original mission over time. This goes beyond the idea of hallucination – you could have a swarm of agents pursuing an outcome, and three levels down from the original action, they could lose the context of the original mission and do something completely different.

All this means that agents will have to be tracked, authenticated, authorised, and their activities noted. We must be able to retrace what agents did in our systems.

How does identity enhance security?

Our modern way of life is built on digital transactions. But we may think we're transacting with the bank when we're actually transacting with a phishing site. So, “trust but verify” is no longer sufficient for the level of risk and abuse occurring online. Now, the motto should be “only trust the verified”.

The principle of zero trust captures this. It says we can't trust users, networks or devices. We should verify the device, we should verify the network, and we should verify the user.

Trust has been weaponised. Wherever we have trust in our systems, that’s where adversaries attack. In response, they are forcing us to install mechanisms under which everything can be verified, and that begins with verifying your real identity.

Five years ago, you'd provide an email address, and it would be presumed that you had access to it. Now, you are sent an email to verify that it is your address. The same happens with phone numbers. They're verifying that you have access to the things you say you have access to.

There is a level of security Darwinism taking place to fortify the assumed trust that has been in many systems but is now the vector of attack, and it’s forcing companies to act.

If a security incident means you need to re-enrol some or all of your users, you can no longer assume they are who you think they are. You must make them prove they are who they say they are.

If you hire people remotely via teleconferencing, you can’t assume the person who shows up for work is the person you interviewed. In some IT sectors, that accounts for as much as 15% of hiring fraud. Nation-states like North Korea are sending their IT workers to fraudulently infiltrate companies and steal identities.

You have to ensure the integrity of the hiring process from the initial application through every subsequent remote interview, as these now mostly happen via Zoom and Teams. You must make sure that the person who filled out the form and took the interview is the person who actually shows up.

There are predictions that in some industries, as much as 50% of applications could be identity fraud. That was not a problem five years ago – or perhaps it was and we just didn’t know about it – but it is a problem now.

All these are examples of where identity is the perimeter we need to protect. The integrity of identity has been challenged by the embedded trust we've had in our identity controls, from employment onboarding to every other digital interaction.

Verifying identity at every step in a cost-efficient way while providing a great user experience is a challenge for the whole industry. It's an opportunity for companies like Ping: we're in the business of enabling or re-enabling trust in every digital transaction. That's our goal.

Is there any particular significance to the consolidation occurring in the identity market?

The planned acquisition of CyberArk by Palo Alto is a recognition that traditional security companies can no longer avoid identity.

First, we secure the network, then we can secure the endpoint, and we can secure the browser. But there comes a point where you can't secure what you can't identify. To me, it’s a recognition of identity’s growing importance in security.

You can't have a deep security conversation and not have an identity conversation because, again, you can't secure what you can't identify. It’s that simple.

Everything needs to be identified: the APIs, the workloads, the service requests, the machines, the humans. Any scenario where an element is not identified is an opportunity for abuse. Agents, humans, non-human identities – everything that is critical, if we're going to secure it, we have to be able to identify it.

So, industry consolidation is an acknowledgement that identity's time has arrived.