What is Identity Management and How Does it Fit with Cybersecurity?
4 min read
Most of us are used to showing our driver’s license or passport to prove something about who we are. Having a digital version of an ‘identity’ can be used to drive online transactions and control access to company IT resources.
Digital identity management or Identity and Access Management (IAM) is a discipline within information security. IAM focuses on how to control access to resources by identifying and in doing so, controlling, the person attempting access. A recent report by cybersecurity company, Centrify, found that 74% of data breaches involved using a privileged account. So, using robust and secure IAM is very important in an organization.
The market for identity management is expected to be worth around $24 billion by 2025, showing it is a massive and growing space.
Read on to find out more about what modern digital identity is and the types of areas where cybersecurity and digital identity overlap.
Types of IAM
Identity and Access Management has evolved from an early enterprise directory system like Active Directory to a more complex landscape of choices. Digital identity can cover everything from a simple login to a cloud app to complex, verified, citizen identity ecosystems.
As cloud computing has become ubiquitous, and network perimeters have been removed, digital identity systems have evolved to support many types of uses.
Typical examples include:Enterprise/employee IAM
Enterprise identity management is changing as companies move to cloud infrastructures. Directories such as Active Directory now have cloud versions. Enterprise IAM systems allow administrators to set up user roles and apply access control based on those roles.
Identifying consumers can be tricky. One of the greatest challenges is balancing between usability and security. Consumer authentication can be one of the most difficult areas to resolve. Consumer IAM is also complicated by the requirements of data privacy laws such as the California Consumer Privacy Act (CCPA). Consumer IAM or CIAM, however, offers a way to build relationships with customers that can be highly beneficial.
Governments across the world are working on digital identity initiatives to allow citizens to engage with online government services. Citizen ID often requires that the individual registering for an identity is verified to a high level of assurance. This can be done using a variety of techniques, such as identity checks against credit file agencies and anti-fraud checks.
Self-sovereign identity (SSI)
This is a new form of a digital identity; the underlying ethos is to have identity data held by the individual, with the proof of this as true, being decentralized, as opposed to held in central repositories. Most current forms are based on the use of blockchain ledgers. It is early days for decentralized IDs but worth watching.
Cybersecurity and Identity
Because digital identity is used in a transaction and uses personal data and login credentials, it dovetails tightly with cybersecurity. Areas of crossover include network security, cloud app access, and social engineering, which are all linked to IAM systems and important considerations when designing and implementing such a system. The following areas are key reasons to keep identity safe and, in turn, prevent data breaches.
- Identity theft: 33% of U.S. adults have had their identity stolen, which is twice the global average. Stolen personal data it is used to either directly impersonate an individual’s digital identity or snippets of these data are used to create a synthetic identity:
- Synthetic identity: Cybercriminals take real data that has been stolen during data breaches, such as social security numbers, and mix it with other user data or even fake data to build a synthetic identity. Often these data are available for sale on the darknet. In 2018, 446 million data records were stolen, giving ample opportunity to create synthetic IDs. Recently, a “synthetic identity ring” stole over $200 million using 7,000 synthetic identities and 25,000 credit cards.
- Credential stuffing: In the 18 months to June 2019, there were 61 billion attempts at credential stuffing. This is where stolen passwords and usernames are used to hack into accounts. HaveIBeenPwned lets you check to see if any of your passwords have been stolen. If you find any of your passwords has been involved in a breach, change them immediately using the account they are associated with.
IAM and digital identity are used to protect access to resources. Digital identity acts as a gatekeeper, and an identity, whether that be for an enterprise employee or a consumer, is a valuable asset. This makes digital identity an attractive target for a cybercriminal. In an enterprise, an identity can offer a way into network resources to plant malware or cause other types of damage. In a consumer context, it can be used to commit fraud. The underlying data that is held by a digital identity, from login credentials to verified personal information must be protected using robust security measures.
On the positive side, a well-designed and robust IAM or consumer identity service can be a major security asset to an organization. In the case of a Consumer IAM system, it offers other benefits such as building trusted relationships and having a way to securely contact customers. The Managed IT team at Novatech has 25 years of experience and we provide our clients with maximum protection.