Toward stronger, safer identities
Identity security is shifting with the constantly emerging threat landscape. There have been too many stories about criminals using stolen passwords from employees’ personal apps to breach their companies’ networks. Until a global trust network can be established, organizations can use the three steps outlined above to create global corporate identities that will help strengthen their overall security posture. This will also more seamlessly help move the organization toward its business goals.
- Create an internal corporate passport that requires strong, multi-faceted authentication and use those points of identification to grant access to your corporate network. Too many organizations have separate accounts, IDs and credentials for their various systems and applications. These end up being points that are vulnerable to threat actors. By setting up an identity system internally, access can be controlled more easily.
- Implement more than simple multi-factor authentication (MFA) with SMS verification. For a corporate-wide ID system to work, it needs heavy defenses. Aside from creating strong passwords, other verification methods must be in place. SMS alone can still be thwarted by threat actors - so including things such as biometrics is key.
- Overall, simplify the identity access and governance surrounding the identity, defend it well with the proper authentication methods, and define the business outcomes you're looking to achieve - for instance, seamless and secure access that truly can enable meaningful business without introducing threats like ransomware and fraud.
When we talk about identity in terms of cybersecurity, what are we really talking about? It’s amalgamation of digital identities – things like usernames and passwords – that are used to authenticate users and grant access. It’s not that different from physical identity – like your driver’s license, social security number or work badge that is assigned to you as an individual. This identity authorizes you and gives certain access to where you can go and what you can do – whether it’s traveling abroad, purchasing alcohol at a bar, or filing your taxes. Access is given based on the permissions you achieve.
The same concept applies to the digital world. Each individual user is granted an identity, and that identity is given privilege to access certain areas of your ecosystem. It’s how you ensure the right people have access to the right things – and vice versa.
Seems simple – so what’s the catch?
It can be tempting to think that identity is simple to define, but there’s a caveat between the physical and virtual worlds. In the physical world, an individual is born with one true identity, and that’s the identity that is carried with them in all aspects of their life, making establishing access simple. In the virtual world, people have hundreds of identities – every single online account someone is associated with counts – whether it’s a Netflix subscription, your social media handle, an Amazon ID, a bank ID; the list is seemingly endless.
The problem statement becomes: How can organizations verify and keep up with these near-infinite digital identities? The first line of defense became identity management or access management in a corporate setting. This establishes who has network access and what kind of access they have. But identity management and access isn’t just a corporate problem – it’s much bigger than that.
The proliferation of online accounts and exposure has given threat actors countless points of access to attempt to steal someone’s online identity. How hard is it to do this? Consider that individuals typically have 50+ accounts across the web. Are there going to be 50 different passwords? That’ll either be a nightmare for people to manage, or they will fall back to one password for perhaps 10 applications each. The moral of the story is that it is incredibly easy to steal passwords, given the amount of exposure each individual has in the digital world – and this can create a hole in the corporate network where that individual works.
Proposing a solution: A global trust framework
In the physical world, what would happen if individuals had to carry 50 different driver licenses for each state or a different passport for each country they wanted to visit? That would be madness. Yet that’s exactly what’s happening in the digital world today. And it’s not rocket science to understand why. Using most solutions offered today is like using the best wallet to keep your 50 identification cards secure. The issue isn’t which wallet to use or how to carry it; the issue is that you have 50 IDs.
The alternative is to have one ID that is properly secured and can be used globally. This level of simplicity requires a global trust framework. The password system needs to be a trust framework system, similar to a passport. A new passport isn’t needed for every country visited; it is part of a global trust network. This is the concept that needs to be established to simplify the landscape.
That’s the real problem statement with identity security. It’s less about establishing the access points and more about dealing with the multitude of identities each individual carries and the risk that this entails.
Three steps to begin the process
Obviously, creating a global trust framework that has federal backing is going to be an extremely large undertaking and is years from coming to fruition. That said, there are steps organizations can take to create this environment within their own ecosystems.