A set of tools for managing roles and access privileges of individual network entities to various cloud and on-premise applications is called Identity and Access Management (IAM).
The primary purpose of IAM is a single digital identity for everyone and everything. Once that is established, it must be observed and modified throughout the access cycle of each user or device.
We sat down with Sadrick Widmann, a cloud IMA-focused company cidaas CEO, to discuss the most pressing issues of this side of the field.
How did cidaas originate? What would you consider the biggest milestones throughout the years?
The idea for cidaas developed out of a customer project of WidasConcepts. At that time, a well-known German medical technology company was looking for a solution for its customer identity and access management that would allow not only the administration of identities but also their authentication and authorization on a central platform.After evaluating several software solutions, we came to the conclusion that no vendor mapped all the requirements "out-of-the-box" and that major development efforts would be necessary to configure the solution as desired. The result is cidaas – Europe’s #1 Cloud Identity & Access Management.
Can you introduce us to your identity platform? What are its key features?
Cidaas is the leading European Cloud Identity & Access Management and delivers an out-of-the-box solution with which companies can establish a unified identity across all channels and the highest security. Cidaas is characterized in particular by feature completeness. Starting with the extensive authentication options for login or multi-factor authentication to our group management with which B2B use cases or family and friend scenarios can be easily implemented as well as our advanced consent management. But also, innovative functions like the Real World Identification with which the digital and the real-world identity of users can be linked.
For example, the access to stadiums or events can be managed, or the cidaas ID validator with which a digital identity verification can be performed via an AutoIdent, for example for the opening of a bank account or for the digital driver's license check, round off the platform.
One important characteristic of the cidaas platform, which our customers often highlight, is the “Everything is an API” approach and the event-based architecture of cidaas. The “Everything is an API” allows one to access all features of cidaas via API and the event-based architecture allows reacting in real-time to any event happening in the cidaas platform. Both features allow a perfect integration of cidaas into any software landscape or application.
What are the most common methods threat actors use to bypass various identity verification measures?
There are many different attack vectors in the context of authentication, but since the password is still the predominant authentication method, most attacks continue to be password-centric and follow classic attack patterns.
Therefore, brute force attacks are still one of the most common methods, in particular, brute force attacks with credential stuffing or credential cracking demonstrate high success rates. In these attack patterns, attackers utilize existing compromised credentials and variations of these to authenticate at different services and platforms. The biggest collection of leaked credentials – “haveibeenpwnd” – contains nearly 12 billion credentials.
Additionally, also classical Phishing attacks are still common and still show a much too high success rate.
The advantage of these attack patterns is the broad range of victims that can be reached as well as the ease of implementation, reducing the barriers of the attack, combined with a good success rate, it is perfect for any attacker.
The best way to overcome these attack patterns is to move to passwordless and multi-factor authentication to eliminate the password as an attack vector.
How do you think the recent global events affected the cybersecurity landscape?
The recent events had a huge impact on the cybersecurity landscape. Starting the Covid-19 pandemic has greatly changed the way we work. Remote work and distributed work are part of everyday life, which also meant that classic cybersecurity concepts had to change. Users are no longer located in the secure corporate network protected by firewalls, but all over the world. But it is not only the world of work that has changed; the pandemic has also had an impact on private life, giving digitization a further boost, at least in part.
Also, the recent development in Ukraine affects the cybersecurity landscape massively, especially since state players and also hacker collectives are getting in on the action. In addition to the actual threat situation, which has increased, the perceived threat situation is also decisive and shapes the cybersecurity landscape.
My hope is that recent global events will have a positive effect on cybersecurity and lead to increased investment in cybersecurity by companies and nations.
What are the main issues associated with password-based authentication?
We already discussed password-centric attack patterns, but the main issue with password-based authentication is the human. The human factor combines different human behavioral patterns which undermine the password. That starts with the reuse of passwords, users tend to use the same or a variation of the same password – “test123” and “test1234”, which makes it easy for the attacker to guess the password in a brute force attack.
Moreover, the users do not select random passwords but subconsciously use certain patterns to assign passwords. These patterns can be modeled by attackers to reduce the number of possible passwords (solution space). Basically, attackers do not need to test random passwords during an attack, based on leaked credentials and models which map the patterns of password selection, the solution space an attacker needs to test during an attack shrinks massively.
Besides quality identity management solutions, what other cybersecurity measures do you think every company should implement nowadays?
There is a broad range of cybersecurity measures a company should implement nowadays. Important are all measures known to secure the networks and internal infrastructure: firewalls, protection against malware, monitoring of software and hardware systems, antivirus software…
Important is also to keep software and hardware up-to-date, sadly this is quite often not the case in many companies, and in particular outdated software is in place. Finally, security awareness within the company is an essential building block of cybersecurity.
As for personal use, what security measures can average individuals take to prevent their identity from being stolen?
As an individual, you can take different measures to reduce the risk of identity theft. Obviously, caution and thoughtful behavior are important. Additionally, individuals should move to passwordless authentication options if available, more and more digital services offer such options like many of our customers do.
Users should also start using multi-factor authentication, in particular for important services and sensitive data. But it is not only the individual who should take action, also companies and providers need to do their job and integrate identity & access management as well as other security solutions to protect their user data.
What do you think the future of identity and access management is going to be like? Do you think the use of biometrics is going to take off?
I am curious to see the future development of the Identity & Access Management market. There are some interesting trends, be it Zero-Trust, digital identity verification, or the connection between digital and real-world identity.
I am also quite sure the use of biometrics will take off, it is one of the most comfortable options for users, and most of the users are already used to it, due to the device biometrics like FaceID or TouchID on Smartphones. In particular, in the context of passwordless authentication, user comfort and therefore biometrics is important.
Would you like to share what’s next for cidaas?
As a leading European Cloud Identity & Access Management, we have big plans for the future. We want to further strengthen our position in Europe and also expand into other markets. We also have some cool new features planned that will help our customers to implement Identity & Access Management perfectly.
We have already briefly touched on a few topics above, from zero trust to real-world identification (identifying users in the real world, e.g. at the point of sale or when accessing the stadium), which we will continue to drive forward with cidaas.