Simon Wood, Ubisecure: “organizations have a responsibility to protect digital identity”

Published: 4 February 2022
Last updated: 15 November 2023
Ubisecure

The switch to remote work has opened new possibilities for hackers to attack both individuals and companies. Unfortunately, many people still lack knowledge (or simply don’t care) about online security, which can prove to be the weak link when it comes to data protection.

As a result, companies seek effective identity and access management solutions to secure their services, providing robust measures against human error and data breach attempts. Ubisecure’s Identity Platform is designed to solve identity and access management challenges from the most common use cases (like single sign-on and authentication) to the most complex (such as advanced identity relationship management).

We sat down to talk more about the importance of organizational and individual identity with the CEO of Ubisecure, Simon Wood.

ADVERTISEMENT

At Ubisecure, you believe that organizational identity is just as important as individual identity. Where does this vision come from?

Organizational identity is a core part of Ubisecure's DNA, as we've believed in its importance since the company was first founded. Nowadays, organizational identity is more important than ever before.

Think of the last online transaction you undertook – either as an individual or representing your company. Most likely it was with an organization, and chances are you didn't have or didn't seek strong assurance of the identity of that organization. This creates many opportunities for bad actors.

But it's not just about avoiding the pitfalls of weak authentication. Best-practice organizational identity creates unique opportunities too. For example, our organizational focus led us to work on a platform for the Finnish government's online services, which enabled the strong identification of both individuals and organizations.

Crucially, it enabled the government to trust the linkage between the two identity classes. It's very powerful for organizations to be able to digitally delegate the right of specific individuals, or even other companies, to represent them and act on their behalf – and for the government/other organizations to be able to trust those assertions.

You have been in business since 2002. What are the main changes you’ve witnessed throughout the years in the identity verification field?

Throughout our history in digital identity, we've seen high growth of identity verification – particularly in regions with a strong identity solution in place that can be used for government or commercial online services.

For example, Sweden has BankID, and therefore several online services offer BankID for identity verification.

ADVERTISEMENT

More recently, we're also seeing a rise in identity verification in regions lacking an established strong identity. As consumers and citizens become more aware of the importance of protecting their online accounts, service providers are connecting ways to verify the real identities of users, rather than relying on less secure authentication such as passwords or social login.

For example, Onfido has seen strong growth with its digital solution to verify users with their physical ID documents – even in regions without an established digital ID, like the UK.

On your website, it is stated that Ubisecure is the #1 issuer of Legal Entity Identifiers. Could you briefly explain this technology?

Legal Entity Identifiers, or LEIs, are highly assured organization identification codes, based on an audited verification process. They're globally standardized, so they provide far greater transparency about who an organization is, and their group structure, than any national identification scheme (such as that run by Companies House in the UK).

Organizations with LEIs are represented by a unique 20-character alphanumeric code that is verifiable and connects to both current, and historical, organization identity reference data.

LEIs increase transparency, particularly in regulated financial transactions (where use of the LEI is often mandatory), and provide a global trust anchor from which relying parties can establish trust in the organization they are transacting or communicating with.

Going back to Ubisecure's belief in the importance of organization identity, becoming an issuer of LEIs in 2018 complemented our position as a leading provider of organization ID.

We are working on solutions where all organizations can be represented by an LEI, and the LEI is a key identity attribute in workforce/employee identities, allowing individuals to digitally represent their organization and their organizational rights in a trustworthy, and secure, way.

Being able to assert trusted individual to organization relationships will not just reduce identity fraud but revolutionize KYC/AML, and massively improve the efficiency of B2B transactions.

Since being accredited as an LEI issuer, we have grown very quickly under our RapidLEI brand to become the leading issuer of new LEIs globally, and the second-largest issuer of LEIs of all-time – surpassing Bloomberg.

ADVERTISEMENT

Identity data breach: what is the worst that can happen?

For organizations that suffer a data breach, the consequences are multi-faceted. There are significant time and cost implications of discovering how the data breach happened, resolving the issue(s), and dealing with the regulatory administration and fines. There's also brand reputational damage, as customers lose trust in organizations that do not keep their data safe.

Protection against data breaches must be a priority when building and maintaining online services, and how you verify identities and manage their access/authorization is at the center of that.

Organizations have a responsibility to protect digital identity, and if we're also looking at this from an individual perspective – more and more onus is also being put on individuals (consumers, citizens, etc.) to do their part.

All too often, people use the same password for every site and leave their accounts vulnerable, or perhaps don't use the strong/multi-factor authentication features on offer, with the excuse that "I've got nothing to hide". But our data is very valuable, and unfortunately for some, it takes an incident like a data breach for them to realize that.

Have you noticed any new emerging cyber threats as a result of the pandemic?

Many significant cyber threats that we've seen as a result of the pandemic come from the sudden increase in remote working. As digital interactions took precedence over face-to-face, bad actors sought to take advantage of the increased attack surface and anonymity.

Where workplace cybersecurity had traditionally been kept within the perimeter of the physical workplace and occasionally extended with a VPN, suddenly access to sensitive resources needed to be available via the public internet.

Catalyzed by this shift, organizations now see much higher value in implementing security policies on an app-by-app basis that are often referred to as Zero Trust.

What do criminals usually try to gain by targeting enterprises instead of individuals? What protective measures can companies take?

ADVERTISEMENT

Ultimately, the rewards for criminals are much higher with enterprise attacks vs individual attacks. Looking at the rise in ransomware campaigns of late, you can see how a large enterprise may have more to offer in terms of profit.

Further, enterprises generally hold a lot more data than individuals, and data is touted as the new oil for its high value – for an activity like data-led sales and marketing, but also on the black market, particularly when related to things like healthcare or finances.

The good news is that there are a lot of protective measures that companies can take. The actions range from implementing the latest security solutions into their systems to security awareness training for all employees. Employees can often prove a weak link in enterprise security, so education is key – as is ensuring the principle of least privilege in case an individual's account is compromised.

Recently, the discussion around Identity of Things (IDoT) started to gain traction. Can you tell us more about it?

While the discussions around IDoT have certainly picked up recently, the concept has been around for a while. From simple sensors to complex devices, like cars, to instantiations of artificial intelligence.

If a thing is accessing sensitive systems, identity and access checks must be a prerequisite in the same way as those of individuals or organizations.

Unfortunately, many systems have been compromised by insecure Internet of Things (IoT) sub-systems. There is no security without identity. Hence, IDoT is now seen as critical, and we look forward to participating in the emerging standards that will help ensure interoperability between identity systems and things.

What do you think the future of identity verification methods is going to be like? Do you think the use of biometrics is going to become widespread soon?

I would argue that the use of biometrics is already widespread. For example, Touch ID or Face ID on an iPhone is a biometric control for the Secure Element.

More and more digital services are offering different types of biometrics as an alternative login method, either using your device's in-built scanners or even through a standard webcam. Going forward, we will see more non-phone-based solutions.

ADVERTISEMENT

Identity verification will always rely on issuers of credentials, such as Google or your bank, and a mechanism to verify that those presented credentials are real. However, we will also see a growing shift to self-control over the presentation of those credentials in the form of Self-Sovereign Identity (SSI) solutions.

SSI is intended to give individuals greater control and greater privacy over their personal data. To retain security, we will continue to see the requirement for fine-grained access control measures, and so the worlds of SSI and classical Identity and Access Management (IAM) will be driven closer over the coming years.

What’s next for Ubisecure?

As we close our 2021, we now have over 125k organizations using Ubisecure issued LEIs. Weare working hard to deploy new services that combine LEI and IAM capabilities to help legal entities take advantage of the LEI outside of meeting regulatory reporting requirements, such as the representation governance and KYC applications mentioned earlier.

Our IAM software/IDaaS business has also grown as we’ve seen many organizations go digital-first in response to the pandemic. This has raised many new interesting requirements, especially around regional-specific risk-based authentication, that we’re building into our Identity Platform.

Commercially, we are expanding throughout Europe. A big focus for us in 2022 and beyond is expanding the team with the right people who understand the value and potential digital identity holds to help achieve our mission.

Share
Post
Share
Share
Share
More from Cybernews
Windows hibernation may contribute to SSD wear as storage costs rise
The world's top intelligence alliance: AI could supercharge cyberattacks within months
UFO skeptic Michael Shermer apologizes to David Grusch
By participating in this viral trend, you help train AI where it struggles the most
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
ADVERTISEMENT