Australia’s digital boom fuels the next billion digital identities

Digital’s biggest advantage – choice – is also its greatest drawback.

There’s a near-endless pool of potential destinations: clouds, applications and services, for users to select from. Whether free or paid, each destination inevitably asks for a bit of information about the person (or device) wanting access to it.

This often results in a set of credentials being created to identify the user when they interact with that destination in the future. Information about their use of the service may be collected for personalisation, monetisation or other purposes.

People are inevitably amassing vast collections of credentials, often a new one for every digital service they interact with. On one estimate by Deloitte, the average user had 200 digital accounts by 2020. Given the digital boom of the past two years, that number is likely to sit substantially higher today.

Even a cursory look at digital usage habits sees account numbers quickly add up.

Australians are estimated to have 7.2 social media accounts, and an average of 4.3 “entertainment services” per household. The 81 per cent of Australian households that shop online now do so from 15 different e-tailers on average. About 39 per cent of Australians have accounts with more than one bank, and 27 per cent have more than one superannuation account.

Not all of these would be distinct “identities”. For a lot of online services, users are able to authenticate with a common ID and password login, such as one they use for a social media account. Or they may (inadvisably) reuse the same username-password combination across multiple different services, so they don’t have to keep track of a separate set of credentials for each service they use.

What’s certain is that a person is no longer a single identity.

VIEW ALL

We estimate that a typical person might have upwards of 15 identities distributed across social media accounts, applications, cloud services, mobile, and physical devices. That’s easier to manage than 200 identities but is still going to cause some challenges.

Comfort for cloud services providers

If keeping track of the number of identities is challenging for users, consider the task confronting the issuers of these sets of credentials to manage and protect them from breach, theft or misuse.

Keeping track of and protecting cloud identities is a large-scale, never-ending inventory process where users are continuously added and removed.

Global usage of the largest cloud storage services can give an idea of how many identities are stored in the cloud. In 2018, Google Drive surpassed one billion users, while the Google Workspace cloud platform as a whole reached two billion users in 2020. The second most popular cloud storage service – Dropbox – has a huge following as well, with over 700 million reported users.

If all 3.7 billion people using these cloud services also had a further 15 cloud identities, we could be looking at a minimum of 55.5 billion identities in the cloud – that’s over seven times the global population.

This is just users that are internet-connected today. Hyperscalers like Google often look to the future to “the next billion users” that will come online. As more of the world gets connected, the proliferation of identities will multiply further.

Additionally, it is no longer just people that have online identities – as cloud adoption accelerates, there has been an explosion of non-people – machine – identities. Machine identities act intelligently and make decisions on behalf of traditional people identities – these can be bots, serverless functions, or infrastructure code. Due to the boom in digital transformation, machine identities now outnumber people identities. Machine identity theft or misuse in the next two years is considered a real and credible threat.

Keeping digital identity safe

There are actions that online and cloud businesses can take to help individuals keep all their digital identities safe.

Passwords can often be the only barrier between a cyber criminal and sensitive information. There are several programs attackers can use to guess or “crack” passwords or even easier to phish credentials. Organisations should recommend that users follow NIST guidance on updating passwords, which is generally now once per year or upon known compromise.

However, to really help mitigate credential sprawl, organisations should establish a global authentication authority to define access policies and apply the concept of SSO’ing everything to its practical limits. SSO (and even passwords) should be used with compensating controls such as MFA and risk signals.

If passwords become compromised, enabling MFA as an extra layer of security will decrease the likelihood that cyber criminals who have stolen passwords can log into accounts. Furthermore, adding a layer of intelligence via risk signals will help to decrease MFA fatigue.

Organisations themselves can further protect users by ensuring all important files are encrypted. To read an encrypted file, the user must have access to a secret code to enable decryption. This means no one other than an authorised user can see it – not even the provider. This extra level of security will make it difficult for any potential attacker.

The organisation should also make efforts to secure and manage administrative consoles and entitlements as well as secrets such as embedded credentials, keys, tokens, certificates and API-keys for human and machine identities. This reduces the likelihood that identities with high permissions can be exploited to gain privileged access to accounts, systems and information.

Ashley Diffey is the head of APAC and Japan at Ping Identity.