RSAC 2025: How Can Organizations Strengthen Their Identity Security Posture?

BIZTECH: What’s new in the world of securing identities?

GHAI: I’ll start with what hasn’t changed. What hasn’t changed is that identity is still the No. 1 initial attack vector. Credential abuse, as the Verizon 2025 Data Breach Investigations Report says, is the primary way the bad guys get through. That hasn’t changed.

What has changed, though, is that threat actors are now using very advanced AI techniques to actually impersonate people and target workflows. Not necessarily at the time of authentication, but at other moments in an identity’s lifecycle.

The perfect example of that is the MGM breach. A few years ago, somebody called the help desk there and said, “Hey, I’ve lost my phone. I need to reboot my credentials, can you help me?” It was a help desk business process and workflow that they compromised to conduct credential abuse.

The MGM case was not actually an AI use case, but now what they’re doing is having AI impersonating a human voice so it actually sounds like the person that’s supposed to be calling on the other end. And that’s the power of AI, the more perfect impersonation, as opposed to just some random person calling.

EXPLORE: More IT news and insights from RSA 2025.

BIZTECH: What can you do about that?

GHAI: There are a couple of things. One is that most of these attacks have been at the back of passwords: “OK, I’ve forgotten my password, can you reset it?” And I’ve been talking about the three Ps of identity for 2025, which are passwordless security, posture management and platformization. Passwords are clunky, costly and categorically insecure. Going passwordless in the workforce is one solution.

We’ve launched a set of solutions that cover every attack across every platform, across every use case and across every device. Because passwordless does not mean fewer passwords; it means no passwords. If there’s some legacy application that still requires a password, that is not passwordless.

We’ve instrumented the entire IT estate and created a solution that instruments and eradicates passwords, reducing the probability of these phishing-type attacks. And one of the solutions, specifically as a part of the passwordless suite for RSA, is what we call Help Desk Live Verify.

If there is a help desk transaction, we do a live, bilateral verification: Is the person who’s calling to be helped indeed the person that they’re claiming to be, and is the help desk person the right individual? It’s a two-way verification of that transaction, because if you are granting somebody a credential, that’s a high-value transaction.

BIZTECH: How are you enabling passwordless authentication protocols?

GHAI: There are three general approaches to passwordless. The first is FIDO. It’s phishing resistant. And we at RSA have been on the board of the FIDO Alliance. It’s a multivendor alliance to work on passwordless authentication protocols. It’s based on cryptographic transactions. The challenge is that only modern applications are going to support FIDO.

Another approach is to use techniques like QR code-based one-time passwords, or some of the standard MFA-type techniques to provide a next set of solutions related to an action by the user without using passwords to authenticate who they are.

And the third category is biometrics. There’s the FIDO protocol using cryptographic techniques, there are process-centric things like scanning a QR code or getting a push notification on your phone and reading out that OTP, there is biometrics. We use a combination of these three capabilities to ensure that there is a comprehensive solution that has no passwords, as opposed to fewer passwords.

BIZTECH: Many organizations are striving to deploy passwordless. What are the mistakes they’re making? Where are the security gaps?

GHAI: We’ve obsessed over the past several years over how you define an enterprise-ready passwordless solution. There are three dimensions to it. One is comprehensiveness, which we already talked about. You have to cover all use cases across your entire IT estate: all applications, all platforms, every case. Next is the security dimension. And on that, FIDO was designed to be phishing-resistant.

Across the years, phishing has been a major initial attack vector. But the reality is, you can’t be satisfied defending against the attacks of yesterday. You need to be thinking about the attacks of today and tomorrow. So, a passwordless solution needs to be phishing-resistant, it needs to be bypass-resistant.

In the help-desk instance, the person had multifactor authentication, a very strong authenticator, but the attacker said, “I can’t beat it, so I’m going to bypass it.” And so, it needs to be bypass-resistant. It also needs to be outage-resistant: always available. It needs to be malware-resistant. If the phone that you’re using to store your passkeys is compromised or has malware, it’s not a trustworthy device to use for authentication. So, you need to protect against not just phishing-based attacks, but all attacks.

And the final piece is the end-to-end lifecycle management. How are passkeys initially granted? What happens if the employee resigns? What’s the governance for the actual management of the credential?

BIZTECH: How do you defend against attacks of tomorrow?

GHAI: The Help Desk Live verification feature actually contemplates the fact that it could be a malicious AI agent on the other side of the phone. The solution forces the other side to prove that they’re actually a human, and not just any human but the correct human, by doing “liveness” tests, such as face recognition and voice recognition techniques.

That’s one example. The other thing that I want to point out is the cryptography. We have a token that is FIDO-enabled, it is the only token that supports the FIPS 140-3 encryption, a federal mandate for federal agencies, which means it’s cryptographically much more secure compared with any other solution out there. FIPS 140-3 is not mandated for regular enterprises, but it’s the highest level of assurance in terms of the cryptographic power of defending against AI-powered or a very sophisticated nation-state attacks.

BIZTECH: Where is the industry in making use of AI for defense and defending against AI?

GHAI: It’s the early days. In terms of the use of AI, there’s a lot of potential, there’s a lot of hype — and also a lot of snake oil. In the case of identities, the reality is that assuring identities today is actually a superhuman problem. A human cannot manage the complexity of today’s attack landscape, with so many things to protect.

Everything is very granular: As things move to the cloud, there are not thousands of applications but millions of microservices that together make an application that needs to be protected. On the other side, it’s not just human identities, it’s not just users acting on a network. You also have AI agents acting on your network. So, you have an exponential rise in malicious actors in the network because they are both human actors and machine actors.

The business of saying, “This actor in the network can access these things and only those things,” is now a superhuman problem. And how we are using AI to solve that problem is an area called identity security posture management.

EXPLORE: The identity access management solutions that can secure your business.

BIZTECH: What is identity security posture management?

GHAI: If identity is the most attacked part of the attack surface — if that’s indeed how the bad guys are getting in — the best way to improve your security posture is to improve your identity security posture. That means using AI to shine a light on identity risk.

For example, let’s say you work for a business, and you have access to a certain set of applications. A typical user only uses 20% of their entitlements; the other 80% that is unused is ripe for the taking when the threat actor strikes, because the employee will never notice if somebody else used an application that they hardly ever use.

The bottom line is to use AI and analytics to illuminate identity risk. Common risks, in addition to underused privileges, include anomalous or unusual access, as in someone seeking access to data from an unusual location or an unusual time.

STAY INFORMED: Get the latest IT news from BizTech Magazine delivered to your inbox.

BIZTECH: Is there anything you’d like to add?

GHAI: We talked about two of the three Ps of identity: posture management and passwordless. The last one is platformization. And look, everybody is claiming to be a platform at this conference.

Everybody knows that the velocity of threats is increasing. It’s AI-powered now. If you have these siloed solutions that don’t share data or context, you cannot keep up with those threats. So, a platform approach is important, but as you do that, I think it’s also important to make sure you think about a core security principle, which is segregation of duties.

What I mean by that is you could have your cloud provider say, “Hey, we will offer you this cloud infrastructure and will also offer you identity security solutions to protect it.” That’s putting all your eggs in one basket. And when you do that, you’re prone to outages. As you platformize, my recommendation is to not create a platform strategy that is too concentrated.

You don’t need 140 vendors in your environment, but don’t go to one or two. Have a few strategic priorities, where you’re designing the separation of duties concept to make sure your strategy is ready for the AI-powered threat actor.

This article is sponsored by: