Today is Identity Management Day, which aims to inform the public about the dangers of casually or improperly managing and securing digital identities. The day was started in 2021 and is hosted by the Identity Defined Security Alliance (IDSA) and National Cybersecurity Alliance.
A digital identity doesn’t have to mean a person. According to the definition, a digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, but it can also refer to an organization, application, or device.
Work from home and bring your own device policies have blurred the lines between personal and professional lives. Poor cyber hygiene on an individual’s professional or personal account or device can leave an entire organization’s digital identity vulnerable.
What is identity management?
Identity management, which is also referred to as identity and access management (IAM) ensures that authorized identities – and only authorized identities – have access to the resources they need to perform their functions. The identity and access management functions are often seen as one, because they are often combined in one framework. But it can be important to view them separately to realize what you are trying to achieve.
Using an everyday analogy, identity management is knowing who is knocking at the door, and access management is knowing whether that person can be allowed in to the house. First a user has to be positively identified and verified by a system, and then the system needs to know what resources that user has access to, and which permissions can be granted.
Why identity management matters
Research by the IDSA reveals that 79% of organizations have experienced an identity-related security breach in the last two years, and 99% believe their identity-related breaches were preventable. According to the 2020 Verizon Data Breach Investigations Report, as many as 81% of hacking-related breaches leverage weak, stolen, or otherwise compromised passwords.
It’s also important to realize that IAM is not just for internal use anymore. Organizations must be able to provide secure access for contractors and business partners, remote and mobile users, and sometimes customers.
Because it acts as the gatekeeper between users and critical enterprise assets, IAM should be a critical component of any organization’s security program. It should also help protect against compromised user credentials and easy to guess passwords that are common network entry points for criminal hackers who want to plant ransomware or steal data.
A key task of IAM systems is to authenticate that an entity is who or what it purports to be. The most basic authentication happens when a person enters a username and password into a login screen. The IAM system checks a database to make sure they match what’s on record.
But the time when we could resort to simple password protection for anything of importance has long gone.
Modern authentication solutions provide more sophisticated approaches to better protect assets. Multi-factor authentication (MFA) is an important step towards ensuring that only legitimate users can access accounts and applications.
By definition, MFA depends on two, or more, different methods of identity confirmation of the user. Not all of these methods are equally secure and choosing factors that are not co-dependent should be a no-brainer. When choosing your authentication method(s) also consider a safe method to deal with lost passwords, tokens, devices, etc.
Setting up identity management
Scalability, ease of use, and manageability are important features to keep in mind when you are looking for an identity management framework:
Can the solution grow with your organization?
This is not just about the number of employees, but you should also take into account a possible need for growth because of external users that need access, or a change in usage that can alter the demand on your IAM framework. For example, when your organization sets up additional offices.
Is it easy to add new users?
For your IT staff, adding—and removing—identities should not be a tedious task. For this reason and because of privacy regulations, the information that gets stored by your staff at first contact should be limited to the minimum that is required and fitted for the role the new identity will get.
Is it easy for users?
Annoying employees is the opposite of what you are trying to achieve, so the system must be easy to use and inclusive. Accessibility, usability, and inclusion are closely related aspects in creating a system that works for everyone.
A good identity management system should minimize the time between onboarding a new employee and giving them access to system resources, while providing optimal security to protect the enterprise against threats that could lead to data theft, malicious attacks, or expose sensitive customer, patient, or legal information.
From a consumer point of view, it’s important that organizations keep the information you entrusted them with, safe. While it seems that privacy is becoming a rare commodity, especially in some countries, it is one that we should value. As such, it is important for a consumer to feel like they can trust your organization, and gaining that trust can be done by letting the potential customer know that their personal information will be safe in your hands.
There is a good reason why customer identity and access management (CIAM) is usually separated. CIAM can be defined as the strategies, processes, and tools used to govern how customers use a resource like your website, how their identity or account data is stored and utilized, and how their identity data is protected from breaches. It can also benefit an enterprise by allowing it to deliver a more personalized and conversion-friendly experience.
Stay safe, everyone!