Challenges and emerging solutions of centralized identity and credentials management in India
For many organizations, maintaining consumer trust is paramount. The more users trust an organization, the more that organization can grow its services and revenue. Should a data breach occur, that trust can be compromised. This is especially true for organizations handling highly sensitive data, such as those within the financial and government sectors.
A common cause of data breaches relates to improper management of credentials, such as passwords and keys. Managing secret credentials is far from an easy task, especially for larger organizations. A global internet hosting service estimated [https://blog.gitguardian.com/the-state-of-secrets-sprawl-2022/] that the nearly 50 million developers using the service have seen a 50% increase insecrets accidentally leaked in public repositories over a yearly basis — an unfortunate phenomenon referred to as “secrets sprawl.” Situations like these, which involve a wide and sometimes decentralized scattering of credentials, demand a centralized solution that consolidates secrets into a single location. This article reviews some of the challenges — and emerging solutions — of centralized identity and credentials management in India.
Challenges
Distributing secrets can be burdensome and logistically challenging. This can prove true for both smaller organizations that may still be refining their security policies and larger organizations with a greater number of users and credentials to keep track of. The regrettable scenario of an employee with the password “12345” or “password” is all too familiar. Nevertheless, in the event of a data breach, lax credential management policies can lead to cybercriminals gaining access to an organization’s core systems, incurring staggering infrastructural costs and damaging customer trust.
Ideally, an organization would implement security policies designed to enforce best practices for managing its user access credentials, keys, databases, applications, etc. Having a data security infrastructure where credentials like user permissions, roles, and password requirements are carefully controlled and monitored is important.Organizations of any size would be well advised to store and monitor this information internally, in a centralized location. Doing so might require some organizations to adopt a new approach to secrets management.
Solutions
A common example of a centralized identity management solution is single sign-on (SSO). SSO allows employees to use the company tools they’re authorized for without having to manage multiple login credentials. This allows workers to simply enable SSO and begin using different third-party apps without having to sign in to each one individually, increasing productivity while maintaining a high level of security.Another example may involve an organizationthat offers services through external applications, such as a bank, technology company, or e-commerce platform. If a user updates their personal or billing information in one application, the change is reflected in the others, without the user having to create separate accounts. This is possible if the organizationuses a centralized identity management platform. The user experience is improved and their data remains secure.
Even though these solutions exist, there is a demand for even more definitive and centralized strategies. As the number of online services continues to grow, so do the secrets that individuals and organizations must manage. Fortunately, the Indian government is already leading the way in developing a centralized identity and credentials repository.
Government initiatives
Over a decade ago, the government established the Unique Identification Authority of India (UIDAI). This statutory body is responsible for issuing a unique identification (UID) or “Aadhaar”number to all citizens based on their demographic and biometric data. Aadhaar was initially intended to serve as proof of identity, and in the past several years it has been linked to a number of external services, such as banking and payments. For example, theNational Payments Corporation of India (NPCI) recently launched the Aadhaar Enabled Payment System (AePS) [https://www.npci.org.in/what-we-do/aeps/product-overview], which allows customers to carry out transactions with merchants using their biometric data, such as a fingerprint. The NPCI have also released the BHIM application, a payment app based on India’s Unified Payment Interface (UPI) that supports money transfers using Aadhaar. Of course, Aadhaar was not developed without taking cryptographic security into consideration. Services such as the National Informatics Centre (NIC)’s Aadhaar Data Vault Service allow organizations to store Aadhaar numbers in encrypted form, preserving the integrity of each identity.
Looking ahead
While Aadhaar is a recent and ongoing initiative, it represents a strong government-led effort to deploy a centralized identity and credentials repository to improve security and consolidate secrets. However, it is not the only example of such initiatives within India. The NIC is currently working on a pilot program to test new versions of a centralized identity and credentials repository. And on a different front, the BFSI sector and others are also considering adopting a centralized approach to enforce security while improving workforce efficiency. Meanwhile, to address the security concerns that singular identities present, the NCI has published research [https://dl.acm.org/doi/10.1145/3494193.3494200] about the potential of distributed ledger and blockchain technology to authenticate identities.
Conclusion
The problem of multiple identities and credentials will only increase in prominence as the number of online services, applications, and users continues to grow. To stay ahead of the curve, organizations must adopt effective strategies for managing these credentials, such as SSO or a centralized identity management platform. However, the Central Government is also pursuing centralized identity projects, one example being Aadhaar, with future initiatives on the way. The main point in common between these solutions is consolidation. When secrets are consolidated with a centralized solution, it reduces the burden of managing them and improves workforce productivity. More importantly, it mitigates the possibility of a data breach, keeping an organization’s sensitive data — and the trust of their customers —safe and sound.
Ruchin Kumar is VP South Asia, Futurex