identity management

(Source – Shutterstock)

Okta: APAC will step up digital identity management for stronger security in 2023

Article by Ben Goodman, SVP and GM, Asia Pacific and Japan, Okta

The strongest cyber defenses are only as strong as their weakest parts, as the saying goes, and this has proven true in the high-profile attacks on Twilio and Uber in the past few months.

Though the companies are digital natives and IT savvy, they still fell prey to cyberattacks that targeted vulnerable users within the organizations, for example, by tricking them into giving access through phishing and deception.

Indeed, in 2021, over 80% of successful attacks on Web applications stemmed from credential-based attacks such as phishing, credential stuffing and “password sprays”.

According to the not-for-profit Anti-Phishing Working Group, the highest rate of phishing attacks on record was in the first quarter of 2022. Financial services and cloud service providers were targeted the most often.

With credential theft now the primary means of attack, APAC organizations are expected to fight back by pivoting to online authentication mechanisms that offer greater resilience to such threats.

To succeed, they must embrace security and identity as strategic enablers of their business enterprise-wide. Specifically, here are five actions we predict they will take to shore up their defenses in 2023:

Dedicating more resources to fight phishing

Ben Goodman, SVP and GM, Asia Pacific and Japan, Okta

In the new year, more APAC organizations will pivot to online authentication mechanisms that offer greater resistance to phishing attacks. They will build up their capability to withstand real-time, adversary-in-the-middle (AiTM) attacks.

The most reliable definition for phishing resistance is maintained by the US National Institute of Standards and Technology (NIST). According to NIST, phishing resistance requires that the channel being authenticated is cryptographically bound to the output of the authenticator. In simpler terms, this means that the domain address of the website you are signing in to is tied to your authenticator, to ensure it won’t issue your credentials to a fake phishing web page.

Organizations can be a lot safer if they limit all user authentication to phishing-resistant factors. They can go as far as doing away with all passwords and login pages.

Multi-factor authentication (MFA) remains the most effective form of protection against all forms of credential theft. MFA limits what an adversary can do with a stolen password, and creates numerous detection opportunities when an adversary attempts to bypass it.

Password-less authentication for less friction

Passwords, an often-troublesome form of authentication for most users today, will be ushered out over time, as new security standards and advancements make password-less methods more secure and easy to use.

In 2023, many organizations will look to other secure factors at login, such as biometric input (face or fingerprint) or hardware tokens. These can be combined with systems that check passive signals such as user behavior, atypical Web traffic and physical location to bolster defenses against access via stolen credentials.

Rethinking standing privileges

Today, privileged users have standing access to critical infrastructure and resources that make them an attractive target for threat actors. Vulnerabilities are extended when these standing privileges remain when the users no longer require them.

Departing from such long-held practices in 2023, many organizations will look to a single unified solution to limit the issues they bring.

Integrating identity governance and administration (IGA) and privileged access manager (PAM) capabilities with identity and access management (IAM) ensures that IT has more power and control over access management without compromising on security or user experience. In the coming year, more APAC organizations will invest in these areas to close a potential loophole.

Decentralized identity gains traction

Instead of relying on centralized databases, organizations in the region will look to more decentralized forms of identity to bolster their defenses against credential theft.

This also means individuals will have more control over their personal information storage and use. Being decentralized means it will not be as easy for threat actors to take over vast amounts of digital identities, thus reducing the risk of misuse and simplifying compliance requirements.

Just as importantly, technologies such as blockchain, for example, will enable organizations to lighten the burden of having to protect a central store of digital identity, as that becomes increasingly important to accessing services and infrastructure with rapid digitalization.

Identity management extended to customers

As more organizations understand the importance of identity management, many will also extend the capability beyond their own workforce to their customers as well. In 2023, this is one area that many will explore.

Customers of an online retailer, for example, can better manage their identities and log in to the site securely and easily through Okta Customer Identity Cloud. This can help streamline registration and login across devices, stacks and platforms, enabling the business to acquire and retain customers through a better experience.

The right approach to customer identity management enables a complete, 360-degree view of customer profiles and preferences by consolidating and centralizing user data across various sources, including both internal and third-party systems. This unified view provides a better understanding of who one’s customers are and what they want so that it is easier to tailor outreach and campaigns for a more effective marketing strategy.

Tackling threats head-on

All in all, we expect more organizations in 2023 to bolster their defenses by pinpointing the one weakness that often negates other efforts to protect against cyberattacks – credential theft. Firms that find more secure ways to give users access to data and infrastructure will ultimately be more successful in keeping malicious actors out of their network.