Centralising secrets: How organizations can manage identity and credentials

Challenges and emerging solutions of centralized identity and credentials management in India

Ruchin Kumar | December 9, 2022


#Technology   #security   #e-governance   #Aadhaar   #NPCI  
(Image: Ashish Asthana)
(Image: Ashish Asthana)

For many organizations, maintaining consumer trust is paramount. The more users trust an organization, the more that organization can grow its services and revenue. Should a data breach occur, that trust can be compromised. This is especially true for organizations handling highly sensitive data, such as those within the financial and government sectors.

A common cause of data breaches relates to improper management of credentials, such as passwords and keys. Managing secret credentials is far from an easy task, especially for larger organizations. A global internet hosting service estimated [https://blog.gitguardian.com/the-state-of-secrets-sprawl-2022/] that the nearly 50 million developers using the service have seen a 50% increase insecrets accidentally leaked in public repositories over a yearly basis — an unfortunate phenomenon referred to as “secrets sprawl.” Situations like these, which involve a wide and sometimes decentralized scattering of credentials, demand a centralized solution that consolidates secrets into a single location. This article reviews some of the challenges — and emerging solutions — of centralized identity and credentials management in India.

Challenges
Distributing secrets can be burdensome and logistically challenging. This can prove true for both smaller organizations that may still be refining their security policies and larger organizations with a greater number of users and credentials to keep track of. The regrettable scenario of an employee with the password “12345” or “password” is all too familiar. Nevertheless, in the event of a data breach, lax credential management policies can lead to cybercriminals gaining access to an organization’s core systems, incurring staggering infrastructural costs and damaging customer trust.
 
Ideally, an organization would implement security policies designed to enforce best practices for managing its user access credentials, keys, databases, applications, etc. Having a data security infrastructure where credentials like user permissions, roles, and password requirements are carefully controlled and monitored is important.Organizations of any size would be well advised to store and monitor this information internally, in a centralized location. Doing so might require some organizations to adopt a new approach to secrets management.

Solutions
A common example of a centralized identity management solution is single sign-on (SSO). SSO allows employees to use the company tools they’re authorized for without having to manage multiple login credentials. This allows workers to simply enable SSO and begin using different third-party apps without having to sign in to each one individually, increasing productivity while maintaining a high level of security.Another example may involve an organizationthat offers services through external applications, such as a bank, technology company, or e-commerce platform. If a user updates their personal or billing information in one application, the change is reflected in the others, without the user having to create separate accounts. This is possible if the organizationuses a centralized identity management platform. The user experience is improved and their data remains secure.

Even though these solutions exist, there is a demand for even more definitive and centralized strategies. As the number of online services continues to grow, so do the secrets that individuals and organizations must manage. Fortunately, the Indian government is already leading the way in developing a centralized identity and credentials repository.

Government initiatives
Over a decade ago, the government established the Unique Identification Authority of India (UIDAI). This statutory body is responsible for issuing a unique identification (UID) or “Aadhaar”number to all citizens based on their demographic and biometric data. Aadhaar was initially intended to serve as proof of identity, and in the past several years it has been linked to a number of external services, such as banking and payments. For example, theNational Payments Corporation of India (NPCI) recently launched the Aadhaar Enabled Payment System (AePS) [https://www.npci.org.in/what-we-do/aeps/product-overview], which allows customers to carry out transactions with merchants using their biometric data, such as a fingerprint. The NPCI have also released the BHIM application, a payment app based on India’s Unified Payment Interface (UPI) that supports money transfers using Aadhaar. Of course, Aadhaar was not developed without taking cryptographic security into consideration. Services such as the National Informatics Centre (NIC)’s Aadhaar Data Vault Service allow organizations to store Aadhaar numbers in encrypted form, preserving the integrity of each identity.
 
Looking ahead
While Aadhaar is a recent and ongoing initiative, it represents a strong government-led effort to deploy a centralized identity and credentials repository to improve security and consolidate secrets. However, it is not the only example of such initiatives within India. The NIC is currently working on a pilot program to test new versions of a centralized identity and credentials repository. And on a different front, the BFSI sector and others are also considering adopting a centralized approach to enforce security while improving workforce efficiency. Meanwhile, to address the security concerns that singular identities present, the NCI has published research [https://dl.acm.org/doi/10.1145/3494193.3494200] about the potential of distributed ledger and blockchain technology to authenticate identities.

Conclusion
The problem of multiple identities and credentials will only increase in prominence as the number of online services, applications, and users continues to grow. To stay ahead of the curve, organizations must adopt effective strategies for managing these credentials, such as SSO or a centralized identity management platform. However, the Central Government is also pursuing centralized identity projects, one example being Aadhaar, with future initiatives on the way. The main point in common between these solutions is consolidation. When secrets are consolidated with a centralized solution, it reduces the burden of managing them and improves workforce productivity. More importantly, it mitigates the possibility of a data breach, keeping an organization’s sensitive data — and the trust of their customers —safe and sound.

Ruchin Kumar is VP South Asia, Futurex

Comments

 

Other News

Making sense of the ‘crisis of political representation’

Imprints of the Populist Time By Ranabir Samaddar Orient BlackSwan, 352 pages, Rs. 1105 The crisis of liberal democracy in the neoliberal world—marked by massive l

Budget: Highlights

Union minister of finance and corporate affairs Nirmala Sitharaman presented the Union Budget 2023-24 in Parliament on Wednesday. The highlights of the Budget are as follows: PART A     Per capita income has more than doubled to Rs 1.97 lakh in around

Budget presents vision for Amrit Kaal: A blueprint for empowered, inclusive economy

Union Budget 2023-24, presented by finance minister Nirmala Sitharaman in the Parliament on Wednesday, outlined the vision of Amrit Kaal which shall reflect an empowered and inclusive economy.  “We envision a prosperous and inclusive India, in which the fruits of development reach all regions an

Soumya Swaminathan to head M S Swaminathan Research Foundation

Former World Health Organisation (WHO) chief scientist Soumya Swaminathan takes charge as chairperson of M S Swaminathan Research Foundation (MSSRF) from February 1.   Founded by her father, the legendary agricultural scientist M S Swaminathan, MSSRF was set up to accelerate the use of m

m-Governance: Key to Digital India

The digital revolution is being led by India. Digital governance is a key component of the government's ambition to transform India into a society where everyone has access to the internet. It includes both M-governance and E-governance, which are major methods for the delivery of services via mobile devic

A sacred offering of the beauty of ‘Saundarya Lahari’ – in English

Saundarya Lahari: Wave of Beauty Translated from the Sanskrit by Mani Rao HarperCollins, 218 pages, Rs 399 ‘Saundarya Lahari’, usually ascribed to Adi Shankaracharya, has a unique status among the religious-spiritual works of Hinduism.

Visionary Talk: Amitabh Gupta, Pune Police Commissioner with Kailashnath Adhikari, MD, Governance Now



Archives

Current Issue

Opinion

Facebook    Twitter    Google Plus    Linkedin    Subscribe Newsletter

Twitter