by Martin Klein,
Business Analysis (BAPL) Consultant
There seems to be a lot of attention on Identity information and in particular identity theft recently. With the increasing rate of data breaches targeting Personal Identity Information (PII), more of us risk losing our identity in the digital age than we ever have before. The explosive growth of online shopping, social media and the Internet of Things has required us all to create online accounts across an ever-growing number of sites.
I for one, have not seen the necessity to limit the number of versions of my digital self. I live in a false belief that an old account I no longer use will somehow be deleted and removed from the site, while only the new accounts and sites I am using remain relevant. My partner, on the other hand, doesn’t believe in online shopping, nor is she enamoured in the need to share every meal, holiday snap or daily event with all her family and friends online. For her, a person who has deleted her Facebook account and removed any other online presence save that required for work, she sees the Internet as presenting too high a risk to personal privacy.
Many of us try to make the job easier by leveraging our social media account to login to a new shopping site we simply must have access to or establishing an account in a new organisation through work. We believe, falsely, that the use of social media as an authentication mechanism provides a more secure “digital presence”, limiting the number of passwords we need to remember and thereby reducing the security risks. Sure, it does this, but security is only provided in that we can use the same credentials to login rather than creating a whole new username / password combination. The new site will still create a digital version of us, a copy that might add more or less information than we have already provided elsewhere.
Our data is exposed to the world and secured through the company’s security systems. Alas sometimes these are less than effective, and at other times, despite their best efforts in ensuring the data is safe, inevitably we hear more stories of identity data being “stolen” by state actors or “unknown hackers”.
At times we can’t even trust those organisations to which we have enlisted our online presence. Some of these organisations sing to a different agenda, chasing increasing revenues through selling identity information, or allowing analysts to evaluate our online patterns to form advertising or direct manipulation of our actions through suggestive media placement.
The need for greater security measures is clear. Regulation is required to ensure that companies that do not take reasonable measures to secure the identity data, are held responsible for the potential loss in personal safety and the security of PII including credit card information, phone numbers and address data. To meet this requirement the European Union has released the General Data Protection Regulation. While this doesn’t prevent a breach, it does put the onus on companies to ensure strong security measures are implemented to avoid the fines resulting in the data breach and the loss of personal identity information from the company’s clients.
Whatever security you may have felt when enrolling with the corporate site has been lost. We are left to search “have I been pwned” (https://haveibeenpwned.com/) to see if our email address and account information used to login to this site has been compromised.
Corporates need to establish stronger policies and security around Identity Management to ensure that our identity data remains safe. They need to ensure that each person is provided a single Digital Identity to access every application and every resource we may need to access for the tasks, work or services we are required to perform. Whether as an employee accessing corporate information, a student accessing university data and resources, or as a temporary visitor to a firm or customer accessing an online site, providing access and managing the Digital Identity information correctly ensures that access to the required applications is provided and data security is maintained.
Establishing a single Identity store, ensuring only minimal information is placed in each application and managing the identity lifecycle through access to applications, disabling or removing access when it is no longer required and removing the account completely when requested, are some of the fundamental steps that Identity Management performs automatically in delivering the security of Identity data across the organisations environment.
“I think it’s pretty clear that the Internet as a whole has not had a strong notion of identity. And identity means, ‘Who am I?’.” (Eric Schmidt. CEO Alphabet)
With the broad adoption of Cloud based applications, mobile devices and the Internet of Things (IoT), evolution is occurring not just in how consumers are accessing company data, but where the company data is located and how access is managed. Traditional manual methods are simply unable to provide access to individual identities. Identity and Access Management provides the silver bullet to this challenge, ensuring that identities are provided the right access but without compromising the security of company data or personal identity information.
This series of blog entries will help you becomes familiar with the processes used in managing the identity lifecycle. The series includes:
- Registering a new identity, the process involved in capturing identity data and establishing the attributes of an identity, augmenting identity data from multiple sources and establishing a login name.
- Developing the relationship the identity has with each application and resource through automated provisioning, understanding the role of the source of truth and establishing access through attributes. We will also look at the triggers involved in de-provisioning and removing access.
- Governance – Requesting Access, workflow approvals for access, notifications and ensuring compliance is supported to prevent conflicts of interest and separation of duties.
- Login – Authenticating and verifying identity through the login process including a look at the Single Sign On process to login to multiple applications.
- Authorisation – Ensuring that the identity is provided access to an application at the authorised level.
- Audit – Finally we will look at the reporting and audit processes involved with ensuring identity activity is tracked and reported on, and forensic reviews of identity access can be performed.
It is foreseeable that we can all live in a safe online environment. It is also foreseeable that my partner will re-establish her Facebook account and join the rest of us in sharing our daily lives online. But then, should we really be keeping up with the Jones’ through social media, or should we just get on with our lives and enjoy each meal, each holiday moment and each event as they occur keeping the memories for the times we actually meet face to face with our friends and families.