Hackers have always had itchy fingers to damage small to large-scale businesses, and with the COVID-19 pandemic still happening, the situation is getting worse. While the possibility to work from the comfort of your own home is praised by employees, it creates cybersecurity challenges for enterprises.
Some of the most common threats that organizations can become victims of are ransomware, phishing, and data breaches. The consequences of encountering such dangers can be detrimental. The outcomes can include stolen confidential data, a huge reduction in profits, or loss of customer trust.
Because it is not possible to manually ensure that no cyber felons can infiltrate themselves into employee devices, various cybersecurity tools such as Privileged Access Management (PAM), exist.
To talk about the significance of cybersecurity and valuable tools, we invited Konstantin Krasovskij, the CEO of a company that develops security products for various industries called Indeed Identity.
Please, introduce us to Indeed Identity. What has the journey been like so far?
Indeed Identity is a cybersecurity software vendor with more than 10 years of expertise and a team of over 60 professionals. We started to develop our solutions in 2000 and continuously improve them in accordance with the demands of the market and customers.
Now, we have two offices worldwide. The first office is located in Lithuania and it is responsible for all business operations in the EMEA region. The other office is located in Singapore and it is responsible for our work in the APAC region. We have more than 50 partners worldwide and more than 200 projects going on in different countries.
Indeed Identity provides cutting-edge solutions for modern cybersecurity. There are three main areas of our expertise, the first being privileged access management, and the second – card management system that manages the lifecycle of digital certificates and smart cards and improves the PKI efficiency. The last but not least area of expertise is comprehensive access management of regular employees to the IT resources of a company and multi-factor authentication.
You take great pride in your Access and Privileged Access Manager products. Can you tell us more about them?
It’s not a secret that PAM is currently a highly demanded solution. If earlier its use was mainly a must-have for large enterprises, today this solution is increasingly used by medium-sized companies. We, as developers, are promoting a new attitude towards this class of solutions. We believe that at this time, PAM should be accessible, valued as an investment, and not a luxury tool for companies of any size.
Accordingly, we try to provide our clients with a variety of PAM usage models. This includes, among other things, the ability to use the solution for a small number of privileged users, the choice of different licensing models: not only by the number of users and resources but also licensing by the principle of simultaneous connections without limiting the number of users. Our main principle is to make PAM easy to use at an affordable price.
As for access control for ordinary users, the class of these solutions has a large number of vendors offering various authentication options. Indeed AM supports almost all possible options, such as OTP, biometrics, digital certificates, push notification, etc. Also, our solution allows you to combine these methods in any variation. Access policies are quite diverse, which allows our clients to customize secure access in accordance with their requirements.
Choosing the right solution for your enterprise can often be a complicated task. Which access management options are better suited for small businesses and which ones are mainly used by big organizations?
Choosing a PAM solution, first of all, you should decide on the goals for which PAM is chosen. Large companies require a large number of different functions and features, such as Just-in-Time or a user behavior analysis with the ability to quickly respond to threats by an administrator or security officer.
Speaking about SMB, based on our experience, they require less equipped solutions that would allow them to use the basic functions of PAM. Such a solution should be quick and easy to deploy, use a small amount of resources, but still be affordable.
As we know, PAM vendors, whose solutions have a large number of different features, are often extremely expensive and difficult to install. Another very important point is the time of response of technical support to customer requests. This is especially important, given that the tasks that PAM solves are classified as critical.
Did the pandemic reveal any new flaws and gaps in your field?
Of course, the pandemic has become a serious challenge for the information security of both enterprises and developers of cybersecurity solutions. First of all, such a format of work as remote has become new for most companies. It required new methods of remote authentication, new access control policies, and the use of equipment that was not so popular before.
The pandemic has increased the opportunity for cyberattacks and made the cost of these attacks lower. This means that the traditional information security model is no longer effective. The new model, in my opinion, should include such tools as Artificial Intelligence, user behavior analysis, and automation of some security management processes.
In your opinion, what cybersecurity practices are essential for businesses nowadays?
The variety of cyber attacks requires the use of a large number of security solutions. Not being experts in all cybersecurity issues, but only in the field of access control, we can note that the list of top 10 cyber threats traditionally includes such threats as phishing, deepfake, and remote work threats. In this regard, the use of solutions to protect against these threats, such as secure access management and biometric technologies, should become a daily practice.
The digital revolution is causing new types of threats. I think that in the near future we will face attacks in the field of IoT and IIoT.
Recently, the discussion around biometric authentication has gained a lot of attention. Do you think it is going to surpass other authentication methods in the near future?
We have been using biometric solutions for quite a while, and the way we see it, biometric authentication is no silver bullet against cyberattacks, but it adds value as a user-friendly auxiliary authentication method. It is impossible to give up the traditional MFA right now – or in the foreseeable future – but biometric solutions will continue to proliferate in various scenarios given the convenient UX they provide, and the ever-increasing confidence of the biometric technology.
Even with the latest state-of-the-art developments in the area, the task of biometric authentication remains probabilistic by nature. So, we envision that the applications that require the highest level of security will continue to combine several factors rather than rely on biometrics only.
As biometric recognition and authentication become more common, new problems arise. The most obvious are those related to privacy and possible presentation attacks (spoofing). Addressing such issues will be high on the agenda of developers and researchers.
Nevertheless, we believe in the utility and value of biometric technologies, and we are working to create our own biometric product. We started with face recognition, looking to extend to other biometric and behavioral modalities in the future. In line with our views on the possible concerns, we pay special attention to anti-spoofing and privacy protection. Our technology is undergoing internal testing as a drop-in replacement for third-party solutions, and then we will start offering it to our customers.
Since you provide solutions for various industries, which vulnerabilities do you think are often overlooked in each field?
We provide our solutions to companies from more than 10 different industries, including government, gas and oil, finance, telecom, etc. These are large and medium-sized companies, sometimes small ones. Therefore, it is quite difficult to describe the vulnerabilities of each area in detail.
However, based on our experience, some of the vulnerabilities apply to companies of all industries and sizes. Speaking about vulnerabilities, we must first of all understand that they are determined by the development of the variability of attacks and threats, which are improving every year. There are new ways, new goals, and new types of hackers.
Based on the experience of our colleagues in the industry, as well as our own, we can identify several common weaknesses in protection.
In the field of MFA, many companies use SMS messages with a pin code as one of the authentication methods. Recently, SMS interception technologies have appeared, which certainly makes access to the infrastructure vulnerable.
It is also necessary to mention the fact that large, medium-sized enterprises quite often shift part of the security tasks to the users themselves. For example, obliging them to change access passwords once a period. Although, in our opinion, there are many ways to automate this process, which are provided by various access management solutions.
What information security issues would you like to see resolved in the next few years?
Of course, I would like all the difficulties to be resolved, but I perfectly understand that this is impossible. Information security tools are being improved daily, just like the tools of cybercriminals. And I must admit that the difficulties in this area will not disappear. In a global sense, we would like to see cybersecurity solutions developing faster than threats.
Speaking of specific changes, we would like to see the cybersecurity tools that PKI provides used more frequently. Digital certificates provide a very wide range of possibilities. This is not only a signature of financial transactions, documents, and email, but it is also a method of authentication when gaining access to the infrastructure. The combination of a digital certificate and other authentication methods significantly increases enterprise security.
Our company is one of the organizers of the PKI club community, which brings together more than 300 experts in the field of PKI and certificate management. We see that this area is becoming more promising and in demand, especially with the development of IoT and IIoT.
What’s next for Indeed Identity?
New solutions, new partners, and new regions. We continue to improve our products and provide new features for our customers. Our partner network is expanding, we managed to get through the pandemic without losses and even grow our team by more than 20%, despite all the difficulties.
In the near future, we hope to launch our own biometric authentication solution into production and offer it to the global market.