Identity Under Attack takeaways: Key takeaways you need to know

Ping Identity and Forgerock CEO Andre Durand gave an impactful keynote speech at Identiverse 2023, aptly named Identity Under Attack. As the CEO and Founder of Ping Identity, he’s been involved in the growth and development of identity and access management solutions for decades. 

Now, with the rapid advancement of AI unfolding, his experienced perspective sheds light on how AI will likely change the world of identity and cybersecurity overall.

Read on as we break down some of the key takeaways from his keynote address that demonstrate how AI has already changed the world of identity and what’s possibly on the horizon.

 

Identity Has Moved to the Center Stage

Durand shows a parallel between the current state of identity and the utility of code-breaking in WWII. Codebreaking began as a tangential practice and became increasingly potent as the practice evolved, eventually making a pivotal difference in the war.

Identity also began on the outskirts of cybersecurity and user management but has since become central to protecting a company’s IT assets and infrastructure.

Now, every step in the identity lifecycle must be verified and monitored to avoid exploitation. It’s no longer a fringe practice but the cornerstone of modern security.

 

Identity Defined Security is Crucial

We’ve seen how, over the past decade, identity has allowed companies to shrink the blast radius if credentials are compromised. MFA, risk signals, FIDO, and other practices help minimize the impact of stolen or fraudulent credentials.

However, as far as the industry has come, AI has introduced a new threat that attacks the foundation of identity-defined security — trust.

 

Trust Under Siege

AI has made everything suspicious; what can we still trust? In IAM, we’re used to thinking about the cybersecurity meaning of trust, but that’s not all that’s under attack.

It’s not just trust in our systems. It’s trust in our own senses and others we depend on. Our senses themselves can be attacked: AI-generated voices based on upper management, increasingly sophisticated AI images, and any text-based communications.

Durand points out that human recognition is a form of authentication; understanding that it’s your employee or manager on the other end of the phone is based on trusting the authenticity of their voice.

What does this mean? Trust as we know it is becoming a relic.

 

AI for Bad Actors

Durand believes the primary way AI will be used to attack companies is through social engineering. While we’ll likely see advanced tools for other attack vectors, the latest wave of generative AI can be used for increasingly sophisticated social engineering attacks.

The result — we need to move from ‘trust, then verify’ to ‘verify always.’ Identity itself must serve the new needs of authentication, and only once something is authenticated can it be trusted. Instead of trusting by default, we’ll need to move to untrustworthy by default. 

Durand eloquently laid out the problem, “AI for bad will precede AI for good.” The cybersecurity community will need to embrace speed and agility to develop, deploy, and manage advanced tools to respond to threats.

 

Complexity Demands Agility

Identity systems will continue evolving to meet the needs of this new AI-centric ecosystem. And these new systems will become more complex at the same time.

As the identity control plane grows, companies must become more agile to adapt to evolving environments. It’s clear legacy systems do not have the capability to easily be protected against and upgraded to counter this new AI-centric reality. The control plane of authentication and authorization needs to be externalized so that it can achieve the agility needed to counter these threats.

 

An Optimistic Warning

You’ve probably seen keynote speeches end on a positive note, and while Durand’s speech is optimistic, it’s also a warning. He clearly states that the world will become very small if the security industry doesn’t win the fight against new AI-enabled threats.

When attacked, human nature is to go into a shell to feel more secure. If this occurs throughout IT, we’ll stop exploring and growing, and that’s to the detriment of everyone.

However, he remains undeterred. Unmitigated AI will be a challenge, but he believes the industry can rise to meet this new challenge. Durand highlights that this is a point in history that we’ve never faced before, but building a resilient infrastructure that allows for the agility we need is within reach.

 

Start Your Modern IAM Journey with the Right Partner

We appreciate Durand’s insights into the challenges and threats we’ve already seen emerge as AI has evolved. And we also share his sentiment.

With new threats, emerging technologies, and increasing complexity — companies need to take a proactive approach to protecting their most essential systems and data.

Are you looking to implement a purpose-built IAM solution for your organization? Discover how Indigo Consulting can help you start your journey to a modern IAM solution.