Centralising secrets: How organizations can manage identity and credentials

Challenges and emerging solutions of centralized identity and credentials management in India

Ruchin Kumar | December 9, 2022

#Technology   #security   #e-governance   #Aadhaar   #NPCI  
(Image: Ashish Asthana)
(Image: Ashish Asthana)

For many organizations, maintaining consumer trust is paramount. The more users trust an organization, the more that organization can grow its services and revenue. Should a data breach occur, that trust can be compromised. This is especially true for organizations handling highly sensitive data, such as those within the financial and government sectors.

A common cause of data breaches relates to improper management of credentials, such as passwords and keys. Managing secret credentials is far from an easy task, especially for larger organizations. A global internet hosting service estimated [https://blog.gitguardian.com/the-state-of-secrets-sprawl-2022/] that the nearly 50 million developers using the service have seen a 50% increase insecrets accidentally leaked in public repositories over a yearly basis — an unfortunate phenomenon referred to as “secrets sprawl.” Situations like these, which involve a wide and sometimes decentralized scattering of credentials, demand a centralized solution that consolidates secrets into a single location. This article reviews some of the challenges — and emerging solutions — of centralized identity and credentials management in India.

Distributing secrets can be burdensome and logistically challenging. This can prove true for both smaller organizations that may still be refining their security policies and larger organizations with a greater number of users and credentials to keep track of. The regrettable scenario of an employee with the password “12345” or “password” is all too familiar. Nevertheless, in the event of a data breach, lax credential management policies can lead to cybercriminals gaining access to an organization’s core systems, incurring staggering infrastructural costs and damaging customer trust.
Ideally, an organization would implement security policies designed to enforce best practices for managing its user access credentials, keys, databases, applications, etc. Having a data security infrastructure where credentials like user permissions, roles, and password requirements are carefully controlled and monitored is important.Organizations of any size would be well advised to store and monitor this information internally, in a centralized location. Doing so might require some organizations to adopt a new approach to secrets management.

A common example of a centralized identity management solution is single sign-on (SSO). SSO allows employees to use the company tools they’re authorized for without having to manage multiple login credentials. This allows workers to simply enable SSO and begin using different third-party apps without having to sign in to each one individually, increasing productivity while maintaining a high level of security.Another example may involve an organizationthat offers services through external applications, such as a bank, technology company, or e-commerce platform. If a user updates their personal or billing information in one application, the change is reflected in the others, without the user having to create separate accounts. This is possible if the organizationuses a centralized identity management platform. The user experience is improved and their data remains secure.

Even though these solutions exist, there is a demand for even more definitive and centralized strategies. As the number of online services continues to grow, so do the secrets that individuals and organizations must manage. Fortunately, the Indian government is already leading the way in developing a centralized identity and credentials repository.

Government initiatives
Over a decade ago, the government established the Unique Identification Authority of India (UIDAI). This statutory body is responsible for issuing a unique identification (UID) or “Aadhaar”number to all citizens based on their demographic and biometric data. Aadhaar was initially intended to serve as proof of identity, and in the past several years it has been linked to a number of external services, such as banking and payments. For example, theNational Payments Corporation of India (NPCI) recently launched the Aadhaar Enabled Payment System (AePS) [https://www.npci.org.in/what-we-do/aeps/product-overview], which allows customers to carry out transactions with merchants using their biometric data, such as a fingerprint. The NPCI have also released the BHIM application, a payment app based on India’s Unified Payment Interface (UPI) that supports money transfers using Aadhaar. Of course, Aadhaar was not developed without taking cryptographic security into consideration. Services such as the National Informatics Centre (NIC)’s Aadhaar Data Vault Service allow organizations to store Aadhaar numbers in encrypted form, preserving the integrity of each identity.
Looking ahead
While Aadhaar is a recent and ongoing initiative, it represents a strong government-led effort to deploy a centralized identity and credentials repository to improve security and consolidate secrets. However, it is not the only example of such initiatives within India. The NIC is currently working on a pilot program to test new versions of a centralized identity and credentials repository. And on a different front, the BFSI sector and others are also considering adopting a centralized approach to enforce security while improving workforce efficiency. Meanwhile, to address the security concerns that singular identities present, the NCI has published research [https://dl.acm.org/doi/10.1145/3494193.3494200] about the potential of distributed ledger and blockchain technology to authenticate identities.

The problem of multiple identities and credentials will only increase in prominence as the number of online services, applications, and users continues to grow. To stay ahead of the curve, organizations must adopt effective strategies for managing these credentials, such as SSO or a centralized identity management platform. However, the Central Government is also pursuing centralized identity projects, one example being Aadhaar, with future initiatives on the way. The main point in common between these solutions is consolidation. When secrets are consolidated with a centralized solution, it reduces the burden of managing them and improves workforce productivity. More importantly, it mitigates the possibility of a data breach, keeping an organization’s sensitive data — and the trust of their customers —safe and sound.

Ruchin Kumar is VP South Asia, Futurex



Other News

Diamonds are Forever: A Saturday story

Saturday Stories By Rashmi Bansal HarperCollins, 176 pages, Rs 250 From the bestselling author of ‘Stay Hu

Oracle Adds AI Capabilities to Oracle Analytics Cloud

Oracle has showcased new AI-powered capabilities within Oracle Analytics Cloud. Leveraging the Oracle Cloud Infrastructure (OCI) Generative AI service, the new capabilities assist analytics self-service users to more quickly and efficiently conduct sophisticated analysis and make better business decisions

Domestic airlines show 38.27% growth in passenger numbers

The domestic aviation industry has witnessed a remarkable surge in passenger traffic during the first eight months of 2023. According to the latest data analysis, the number of passengers carried by domestic airlines from January to August 2023 reached an impressive 1190.62 lakhs, marking a substantial inc

MPs bid adieu to historic parliament building, step into new building

A function was organised in the Central Hall of Parliament on Tuesday to commemorate the rich legacy of the Parliament of India as the Members came together to bid adieu to the historical building before stepping into the New Building of Parliament. Prime Minister Narendra Modi, Lok Sabha sp

Real action, not words alone, needed to achieve UN agenda 2030: civil society

As politicians and policymakers make speeches at the United Nations during a high-level summit next week to assess the lack of progress on the 2030 Agenda and the Sustainable Development Goals (SDGs), people’s leaders representing some of the world’s most marginalised communities have come toge

Fourth GPFI G20 meeting pledges to work for universal financial inclusion

The fourth G20 Global Partnership for Financial Inclusion (GPFI) meeting held in Mumbai during September 14-16 concluded with members agreeing to work towards the vision of universal financial inclusion under the new G20 Financial Inclusion Action Plan. Over the course of three days, discuss

Visionary Talk: Amitabh Gupta, Pune Police Commissioner with Kailashnath Adhikari, MD, Governance Now


Current Issue


Facebook Twitter Google Plus Linkedin Subscribe Newsletter