7 tips to manage the security of digital identities
Published on 05/01/2023 in News
Security is evolving. Security is not focused on the perimeter but on the user. Until recently, identity management was often rather fragmented, whereas what is needed is a holistic approach.
7 tips for successful identity management from Bart Callens, Product Manager at Proximus.
A digital identity is defined as the body of information about an individual, organization or electronic device that exists online. It is important that an organization is managing properly digital identities, especially in relation to the access these digital identities have on the network, data and applications of this organization.
1. The three commandments: who, what, where
Companies like Google and Facebook are probably the biggest processors of identity-related data. Yet it serves little purpose. A government service will never allow a citizen to register simply using his Facebook ID. This is due to the three commandments of identity management: authentication (being certain who it is), authorization (giving that person the appropriate rights and privileges) and audit (knowing what has happened to the data).
2. Integrated approach required
An organization must not consider its approach to identity management purely from an IT-technical perspective. There are many departments in the organization concerned. Human Resources for example is responsible for the on- and offboarding of employees, Marketing wants a smooth customer experience during registration and wants to stimulate usage of digital applications by customers. And Legal and Compliance wants to manage digital identities as they are subject to many laws and regulations such as GDPR. Therefore, it is important that all relevant stakeholders are identified and involved during the digital identity project.
Identity management is also an important cornerstone of a modern Zero-Trust architecture. It should therefore be integrated in your overall ZTNA (Zero-Trust Network Access) architecture and correlate identity-related events with other security events in your network. Many modern attacks involve escalation of privileges as part of the Kill Chain. Detecting identity-related security threats will allow you to detect and stop attacks earlier and limit the harm done during an attack.
3. Start small and learn
A Big Bang approach is not recommended for successful Identity Projects. Start small, addressing a limited number of user groups, applications and roles. Learn from your minimal viable product in an agile way to extend your initial Identity Security project into a continuous Identity Security program.
4. User experience and communication are essential
A user-friendly interface increases the speed at which the identity solution is adopted. If the solution is perceived as being too strict, then users may start to show resistance. End-users expect an efficient interface, which includes mobile devices. Therefore, integrate your identity solution with communication channels already adopted by your users, such as Microsoft Teams or Slack.
5. Long-term work
Identity management is not a project but a program. Once the platform has been implemented, it is essential for monitoring and evolution to continue. Identity management is therefore a long-term matter. An organization must never stop thinking about how it wishes to stay connected with its clients, staff, and suppliers.
6. MFA where you can, but no silver bullet
If not yet the case, apply multi-factor authentication (MFA) where you can, to protect against credential theft or brute-force-attack scenarios. However, MFA is no silver bullet. Attack technics such as MFA fatigue, pass the hash, pass the token, or pass the cookie are circumventing multi-factor authentication.
Apply passwordless authentication and FIDO2 (Fast Identity Online) where relevant and monitor your endpoints and identity infrastructure for suspicious activity. Do not forget to protect your mobile devices as well because they tend to be the weakest link and are becoming more and more attractive towards hackers. In many cases they are the second authentication form of MFA (think about Authenticator apps such as Microsoft or Google Authenticator).
7. Context must not be forgotten
The way to protect and manage digital identities and their access changes depending on the context in which the identities are used. Digital identities in a B2E, B2C, B2B, or G2C context each come with their own challenges and solutions. For example, managing employee access to your corporate applications differs very much from how you will secure digital identities of your customers and prevent digital fraud. Staff sometimes require access to platforms with sensitive data, this also requires extra security. When it comes to digital identity models, it used to be thought of mainly in silos, but we are now seeing more and more models that take a centralized approach. It is important to know the pros and cons of each approach and implement the model that is suitable for your business or use case. Above all, it is important to find the right balance between privacy and security.
Finally, do not forget to look beyond traditional users in your identity management plan. Applications, platforms, or bots also have a digital identity that needs to be properly managed and protected.
There is a risk to the security of your company data. This is because you have more mobile workers, you are storing more data in the cloud, and your employees have a bigger digital footprint.