Discussing Current and Future Security Trends
With Global Cybersecurity Products CTO at Eviden
Eviden is an Atos business that brings together its digital, cloud, big data and security business lines. Atos is a global IT Group headquartered in France company that provides services and products in 73 countries around the world and employs more than 110,000 people. Eviden keeps growing in the security field, by swiftly adopting future-oriented trends along the way.
Intelligent Wave Inc. (IWI) is an IT services company in Japan that for over 30 years has developed a system for network connection and credit card payment authorization and a system for preventing credit card fraud. IWI also sells Evidian IAM (Identity and Access Management), a software solution of Eviden, and also provides installation and maintenance support.
This time, Mr. Kunimitsu Sato, Chief Executive Officer, Representative Director from IWI interviewed Mr. Vasco Gomes, who oversees Eviden’s cybersecurity products, about security trends and the strengths of Evidian IAM.
Intelligent Wave Inc. Chief Executive Officer, Representative Director
Appointed CEO, Representative Director of IWI in September 2020, Mr. Sato is always pursuing innovation. As a company, IWI is now evolving from the field of payments, payment and information security to support the reliability of businesses in various industries.
Mr. Sato takes on new challenges by promoting diverse work styles and the active nurturing of talent for the employees — with the idea that efforts to improve human capital can ensure the stable operation of IT infrastructure and improve the quality of products and services beyond the scope of business risk management.
Global Cybersecurity Products CTO at Eviden, an Atos business
Cybersecurity Distinguished Expert,
Scientific Community Member
Through his 20+ years of experience in information security, Vasco helped many customers balance operational constraints with acceptable business risks. In recent years, he has expanded this experience to help clients understand what the information security landscape might be in the next 5+ years and provide them with the key to anticipating the future of cybersecurity and maximizing sovereignty over their most critical data.
Using those interactions and by continuously monitoring major technological trends, Vasco influences Eviden’s cybersecurity roadmap, as well as partnerships and M&As.
“It is important to take measures based on the premise that the security perimeter will be crossed”
Sato: Mr. Gomes, it is a great honor to have you, the Global Cybersecurity Products CTO at Eviden, an Atos business, join us today. Without further ado, please tell us about the current global security trends.
Gomes: Two trends have emerged in the last 20 years. The common factor for both elements is "crossing the security perimeter."
The first trend is that resources such as internal devices and users are moving outside traditional security perimeters. Users need to access the company's IT resources from outside the company in order to work remotely. Users and devices have become more fluid, especially as a result of telework being recommended due to the influence of the coronavirus.
The second trend is the movement of external, unmanaged resources inside the security perimeter. Examples include BYOD (Bring Your Own Device — inside the company), access to the company’s resources by external partners, and the spread of external sensors (such as IoT devices) involved in IT or OT processes.
About 20 years ago, a firewall was enough to protect the internal network environment, but today, it is undeniable that the traditional “fortress” approach is no longer enough. The use of SaaS and the expansion of telework have made these environments more complex, requiring more flexible security measures.
Sato: So, you mean that the nature of security measures has changed completely due to the impact of the new coronavirus. Could you concretely define those measures?
Gomes: The security measures were, until recently, what you could call perimeter-bound defenses, which were designed to protect “in-house” environments that were distinctly separated from the outside, or to put emphasis on securing the network when using outside services and resources. However, now that people are working in different places, that perimeter-bound defense is becoming less and less effective.
In today's fluid and complex environments, it is necessary to manage IDs (and their access rights), and to implement context-aware policies on each and every access. In other words, it is necessary to implement measures that focus on people, and not the environment.
Sato: Corporate IT systems are increasingly using cloud services in addition to conventional on-premises systems. In such situations, Evidian IAM, which can centrally manage advanced IDs, is effective.
How is Eviden helping companies move toward an approach based on identity and access request policies?
Gomes: We help our clients achieve that approach by aligning with their objectives. By helping them adopt identity-based zero trust principles, context-aware policies and continuous, risk-based verification, for example.
In these projects, the Eviden Cybersecurity Services team also advises clients to optimize planning and execution.
Evidian IAM is continuously evolving in order to keep providing support to clients, by providing multi-factor authentication (MFA) and access control for user authentication to align with zero trust principles. In addition, prescriptive IAM — the AI engine of the product line — collects information on access and evaluates access policies in order to constantly improve the IAM system. This prescriptive IAM is also used for analysis within Eviden, and we expect that it will lead to the provision of even higher quality services.
Sato: It must be reassuring for customers to know that the Evidian IAM team’s expertise, combined with the AI engine features, supports them in everything from planning to implementation. Also, as a developing company ourselves, we believe we can learn from Evidian IAM’s stance, which is defined by a continuous evolution and the addition of new functions.
Will behavioral biometric authentication become a future security trend?
Sato: Looking ahead to future security trends, please tell us about any technologies you are currently working on.
Gomes: We are researching and adopting various means to improve the user experience (UX). With conventional login authentication and biometric authentication (face, fingerprint, iris, etc.), authentication is required each time you access a different system such as an application or device, which poses an issue in terms of work efficiency.
With that in mind, we are currently researching how to make authentication easier, including using behavioral biometry.
Easing authentication can be done by calculating risk levels based on information about the user attempting authentication; if the computed risk level falls below a customizable “safe” threshold, the authentication steps will be reduced. This helps reduce the time and effort required for user authentication and leads to more efficient operations.
Behavioral biometry authentication uses factors such as kinetics (posture, gait), voice, device input, mouse and touch screen activity, and device movement.
Sato: What are the benefits of using behavioral biometrics for authentication?
Gomes: The benefits are improved usability and continuous authentication.
This authentication method analyzes user actions and uses them as authentication factors.
This method allows us to automatically assess authentication without interrupting the user's operation. In other words, users can prove who they are without having to worry about entering credentials.
The second benefit, continuous authentication, is a method which saves the trouble of user authentication by performing continuous authentication of a given individual. It is mainly combined with sensors such as cameras, microphones, monitors, or the use of the mouse. It continuously learns the user’s operations then uses that information — which is unique to the user — as authentication information, without them having to prove who they are to authenticate. In addition, continuous authentication not only eliminates the need for users to authenticate themselves but can also be expected to dynamically manage access rights. It can detect behavior that could potentially be a risk and temporarily restrict the access rights of the user, without requiring the access rights administrator to constantly monitor.
Sato: So, if behavioral biometrics authentication becomes a reality, it will be possible to perform authentication automatically and dynamically — with what we expect will be a flexible and robust authentication method?
I heard that in addition to behavioral biometrics, you are also adding the use of physiological biometric authentication methods, such as heart rate recognition to your portfolio.
Gomes: Yes, we provide the use of heart rate and vein patterns as authentication factors through specific wearable devices. In collaboration with Canada's Nymi Inc., we are exploring ways to use wearable terminals to enable personal authentication — even when wearing a mask or gloves.
About the FIDO sign-in authentication trend for consumers
Sato: Please tell us your thoughts on the FIDO sign-in authentication, which is being used by Apple, Google, Microsoft and others.
Gomes: FIDO sign-in authentication is a robust mechanism, because no authentication information is shared through the network to the server side, which reduces security risks. We also believe that it should be promoted because it reduces the burden of entering authentication information and leads to improved work efficiency.
Passwords have been around for a long time and are still used by many companies and organizations today. As a result, in order to strengthen security, companies are implementing MFA (multi-factor authentication) which burdens users with more authentication steps.
As the UK NCSC (National Cyber Security Centre) puts it: “Very often, if security doesn’t work for people, it doesn’t work at all.” We think security and UX should not be separated.
Evidian also promotes the FIDO approach, making it easier for consumers to use such authentication services.
On the other hand, when companies deploy the FIDO authentication method, it is usually not clear for most users how to register and use FIDO keys on each terminal for authentication. We believe that this is something that we should work on in the future.
Starting with working on behavioral biometric authentication, we will continue to make efforts to improve security and UX.
Sato: Within IWI, we have a team dedicated to Evidian IAM. I hope that we can continue to work together to spread the use of your solutions and services. Thank you for coming today.
About Evidian IAM, an Identity and Access Management product
Evidian IAM provides a comprehensive set of IAM functions, such as SSO (single sign-on) which reduces authentication to one single time, ID management that manages a given system’s privileges and automatically grants, changes, and revokes them, multi-factor authentication and many others. By building an integrated authentication infrastructure based on these products, companies can automate their IAM architecture, and thus strengthen security and reduce the burden of responding to audits, while improving convenience for both system administrators and users.