Challenges and emerging solutions of centralized identity and credentials management in India
Ruchin Kumar | December 9, 2022
For many organizations, maintaining consumer trust is paramount. The more users trust an organization, the more that organization can grow its services and revenue. Should a data breach occur, that trust can be compromised. This is especially true for organizations handling highly sensitive data, such as those within the financial and government sectors.
A common cause of data breaches relates to improper management of credentials, such as passwords and keys. Managing secret credentials is far from an easy task, especially for larger organizations. A global internet hosting service estimated [https://blog.gitguardian.com/the-state-of-secrets-sprawl-2022/] that the nearly 50 million developers using the service have seen a 50% increase insecrets accidentally leaked in public repositories over a yearly basis — an unfortunate phenomenon referred to as “secrets sprawl.” Situations like these, which involve a wide and sometimes decentralized scattering of credentials, demand a centralized solution that consolidates secrets into a single location. This article reviews some of the challenges — and emerging solutions — of centralized identity and credentials management in India.
Distributing secrets can be burdensome and logistically challenging. This can prove true for both smaller organizations that may still be refining their security policies and larger organizations with a greater number of users and credentials to keep track of. The regrettable scenario of an employee with the password “12345” or “password” is all too familiar. Nevertheless, in the event of a data breach, lax credential management policies can lead to cybercriminals gaining access to an organization’s core systems, incurring staggering infrastructural costs and damaging customer trust.
Ideally, an organization would implement security policies designed to enforce best practices for managing its user access credentials, keys, databases, applications, etc. Having a data security infrastructure where credentials like user permissions, roles, and password requirements are carefully controlled and monitored is important.Organizations of any size would be well advised to store and monitor this information internally, in a centralized location. Doing so might require some organizations to adopt a new approach to secrets management.
A common example of a centralized identity management solution is single sign-on (SSO). SSO allows employees to use the company tools they’re authorized for without having to manage multiple login credentials. This allows workers to simply enable SSO and begin using different third-party apps without having to sign in to each one individually, increasing productivity while maintaining a high level of security.Another example may involve an organizationthat offers services through external applications, such as a bank, technology company, or e-commerce platform. If a user updates their personal or billing information in one application, the change is reflected in the others, without the user having to create separate accounts. This is possible if the organizationuses a centralized identity management platform. The user experience is improved and their data remains secure.
Even though these solutions exist, there is a demand for even more definitive and centralized strategies. As the number of online services continues to grow, so do the secrets that individuals and organizations must manage. Fortunately, the Indian government is already leading the way in developing a centralized identity and credentials repository.
Over a decade ago, the government established the Unique Identification Authority of India (UIDAI). This statutory body is responsible for issuing a unique identification (UID) or “Aadhaar”number to all citizens based on their demographic and biometric data. Aadhaar was initially intended to serve as proof of identity, and in the past several years it has been linked to a number of external services, such as banking and payments. For example, theNational Payments Corporation of India (NPCI) recently launched the Aadhaar Enabled Payment System (AePS) [https://www.npci.org.in/what-we-do/aeps/product-overview], which allows customers to carry out transactions with merchants using their biometric data, such as a fingerprint. The NPCI have also released the BHIM application, a payment app based on India’s Unified Payment Interface (UPI) that supports money transfers using Aadhaar. Of course, Aadhaar was not developed without taking cryptographic security into consideration. Services such as the National Informatics Centre (NIC)’s Aadhaar Data Vault Service allow organizations to store Aadhaar numbers in encrypted form, preserving the integrity of each identity.
While Aadhaar is a recent and ongoing initiative, it represents a strong government-led effort to deploy a centralized identity and credentials repository to improve security and consolidate secrets. However, it is not the only example of such initiatives within India. The NIC is currently working on a pilot program to test new versions of a centralized identity and credentials repository. And on a different front, the BFSI sector and others are also considering adopting a centralized approach to enforce security while improving workforce efficiency. Meanwhile, to address the security concerns that singular identities present, the NCI has published research [https://dl.acm.org/doi/10.1145/3494193.3494200] about the potential of distributed ledger and blockchain technology to authenticate identities.
The problem of multiple identities and credentials will only increase in prominence as the number of online services, applications, and users continues to grow. To stay ahead of the curve, organizations must adopt effective strategies for managing these credentials, such as SSO or a centralized identity management platform. However, the Central Government is also pursuing centralized identity projects, one example being Aadhaar, with future initiatives on the way. The main point in common between these solutions is consolidation. When secrets are consolidated with a centralized solution, it reduces the burden of managing them and improves workforce productivity. More importantly, it mitigates the possibility of a data breach, keeping an organization’s sensitive data — and the trust of their customers —safe and sound.
Ruchin Kumar is VP South Asia, Futurex
The union cabinet on Thursday approved the establishment of three semiconductor units under ‘Development of Semiconductors and Display Manufacturing Ecosystems in India’. Involving a total investment of nearly Rs 1.26 lakh crore, the three units -- two in Gujarat, one in Assam – wil
Mumbai is one of busiest airports in India, handling a large volume of domestic and international flights including military, non-scheduled and general aviation flights. Mumbai`s Chhatrapati Shivaji Maharaj International Airport (CSMIA) has two intersecting runways which cannot be operated
BrihanMumbai municipal corporation is floating nearly 900 tenders worth of Rs 150 crore in the next 10 days, but that is only for ward-level civic works, the BMC clarified on Monday, reacting to reports in a section of media. “Since there are 25 wards in BMC, it involves m
In a first-of-its-kind initiative, Election Commission of India (ECI) on Monday signed a memorandum of understanding (MoU) with two prominent organisations, the Indian Banks’ Association (IBA) and the Department of Posts (DoP), to amplify its voter outreach and awareness efforts ahead of the forthcom
Snakes, Drugs and Rock ’N’ Roll: My Early Years By Romulus Whitaker with Janaki Lenin HarperCollins, 400 pages, Rs 699
The Moral Contagion By Julia Hauser and Sarnath Banerjee HarperCollins, 140 pages, Rs 699 The world has lar