Since internet protocols were originally based on the idea of routing packets between trusted entities, the internet has no universal concept of identity, said Ping Identity CEO and chairman Andre Durand (pictured above), noting that Vint Cerf, one of the fathers of the internet, has said that if given a second chance to start from scratch he would tackle identity.
But "retrofitting the house" is a messy and complicated business, said Durand, as it means building identity into everything, and that has resulted in password proliferation.
While it is useful but not essential to know who is visiting a particular web site ("There's a lot of money at stake" in knowing who is visiting a particular site, he said, predicting a shift from 'anonymous by default' to 'identified by default'), identity is essential where value is involved, whether that is about transferrable value - think internet banking sites or PayPal - or the use of subscription services.
So Ping Identity's platform is designed to suit the need for systems to identify users whether they are employees, customers, partners or whatever.
The company's vision is that identity should be the centrepiece of security (the traditional concept of users and systems both being inside a firewall is no longer realistic), and that identity is used to give the right people access to the right resources. "I think we're on the way," he told iTWire.
Durand sees a parallel with the early 1990s where proprietary protocols meant many organisations had internal email systems that could not be used to communicate with the outside world. But that changed when internet-oriented protocols including SMTP were widely adopted.
Ping Identity has been developing identity standards to cover every use case, he said, and putting them on top of proprietary identity systems in order to provide broad single-sign-on capabilities for diverse systems, including SaaS.
Federated sign-on means that once users have identified themselves, they can access all the internal or external resources they are entitled to, without having to repeatedly log in.
Durand sees these new standards replacing existing identity architectures over time. "A refresh is quickly approaching," he told iTWire. There comes a point where people accept that standards are good enough, and the new identity standards are getting there.
For now, the company is working with systems integrators such as PriceWaterhouseCoopers and Deloitte, as well as vendors including Amazon Web Services, Cisco, F5, MDM provider MobileIron, and identity management specialist UnboundID. "The ecosystem's pretty broad," he said.
As noted in a previous article, some organisations are cutting back on their data centres in favour of IaaS. One very large US company is using Ping Identity in such an environment, Durand told iTWire.
Local customers include certain Queensland Government departments and some large private banks, he added.
Looking ahead, smartphones "open the door to user authentication," he said, as they provide a platform for "continuous authentication." Examples include the ability to consider how the user typed a PIN or password rather than merely what was typed, to incorporate Touch ID and other biometrics, and to take into account the location of the device. The more atypical the pattern and the more valuable the resource being accessed, the more reason there is to deny or challenge the interaction.
Durand gave as an example the way that as CEO, he is authorised to view the company's bank accounts and initiate wire transfers, but he has never done so because the finance function takes care of that. So if he did attempt a transfer, that should be flagged as risky behaviour as it is so atypical - but the right analytics layer is needed to determine whether it is appropriate to increase authentication activity in case someone has been able to get hold of his phone while it was unlocked, or to block the activity completely in case he had gone rogue.