Happy Identity Management Day
Every dog has its day as the saying goes and it's increasingly the case that every aspect of information technology has one too -- a day that is, not a dog.
Today is Identity Management Day, created by the The National Cybersecurity Alliance and the Identity Defined Security Alliance. It's the first one so you can forgive the lack of greetings cards and themed balloons in the shops but there is plenty of industry comment.
Anurag Kahol, CTO and co-founder of Bitglass says, "Identity Management Day emphasizes the importance of protecting our digital identities (which is increasingly critical as the acceleration of digital transformation efforts opens new doors for threat actors). With many internet users holding dozens of online accounts across various services, it has become more difficult for them to memorize numerous, complex passwords. Unfortunately, password reuse has become a common malpractice that increases the chances of account hijacking when one set of a user’s credentials are leaked. More than 80 percent of hacking-related breaches are tied to lost or stolen credentials and it is now self-evident that passwords alone are not enough when it comes to authenticating users."
Michael Magrath, director, global regulations and standards at OneSpan believes this comes at an important moment for the industry:
In the US we may be turning the corner and expect last year's Improving Digital Identity Act to be re-introduced during the current congressional session while NIST is in the process of revising its Digital Identity Guidance. The government is playing a major role in verifying identities for public sector agencies as well as the private sector.
Another important recent development is the role governments are playing in verifying identities for public sector agencies as well as the private sector. For example, the U.S. Social Security Administration’s electronic Consent Based Social Security Number Verification (eCBSV) service verifies an individual's name, date of birth, and SSN with consent of the individual when opening a bank account. Additionally, the HM Passport Office in the UK is piloting a similar service with passport information and pilots are also planned in the U.S. using passport data and current mailing address leveraging the State Department and Postal Service, respectively to verify identities. Technological advancements combined with government policy have advanced the adoption of FIDO authentication standards globally, while social distancing guidelines have made electronic signatures commonplace with more and more applications leveraging the technology being available including electronic wills, remote online notarization, electronic vehicle titling. Mobile driver licenses have been launched or are in pilots in several US states which will enable Americans to prove who they are in a privacy enhancing way. Identity Management Day 2021 is exciting and I think we'll look back to 2021 in a few years, admiring how far we have come.
Yossi Zekri, president and CEO, Acuant says, "Identity Management Day represents an industry that consistently fights fraud across the physical and digital world every day. It is important that we use this opportunity to share the importance of managing and keeping PII (personally identifiable information) secure from the increasing threat landscape, especially in cybersecurity. Consumers should be depending on providers that adhere to privacy standards, define a DPO (Data Protection Officer), obtain consent and safeguard their information from the outset."
A view echoed by Keith Hollender, global cybersecurity practice lead at Morgan Franklin Consulting, "Identity Management Day is a great new channel to help raise awareness in the cybersecurity community and general workforce, highlighting the importance of structuring a secure Identity and Access Management program. As the industry trends towards a Zero Trust model, where network traffic is untrusted and requests to access any resource must be securely completed, next-generation IGA products are providing sleeker and automated ways to use AI and machine learning and help organizations be more preventive in granting access for both human and non-human accounts."
Doug Davis, senior product manager at Semperis offers advice on securing hybrid identity models:
With the growing popularity of cloud, enterprises have been gravitating toward a hybrid identity management model that promises the best of both worlds -- a little bit in the cloud, and a little bit on-premises. For the vast majority, this means leveraging Azure Active Directory (AAD) alongside Active Directory (AD). Organizations making this change must consider three critical adjustments: the need for new authentication models, the loss of the traditional perimeter, and drastic changes to the permissions model.
Changes in permissions are by far the biggest security risk when it comes to implementing hybrid identity management. Not only are there a huge number of services available when organizations move to a hybrid identity environment, but you also have roles in Azure AD that may be unfamiliar compare to the set of well-defined administrative groups in Active Directory. Organizations must establish strong governance of what apps are going to be turned on, who is able to make those changes, and what access rights they will get. While managing identity in a hybrid environment might seem as simple as joining a Windows device to AAD, failing to account for changes to the risk landscape opens the door to issues that can cause headaches in the future.
Blake Hall, CEO and co-founder of ID.me sees this as an opportunity to put consumers in control, "As the digital economy explodes, the challenges of digital identity are also getting worse. The password problem is just the tip of the iceberg -- having to verify your identity at each site adds on to this high-friction process. On this inaugural Identity Management Day, we need to put consumers in control of their own data to strip out friction."