It is often said that, in modern Zero Trust aligned environments, Identity is the new perimeter, rather than the legacy approach of networks. This is due to the fact that we interact with systems through our digital identities and those identities, how they are authenticated, what they’re authorized to do, and under what context should all dictate access to data.
However, addressing digital identity concerns isn’t quite so simple and is further exacerbated by an ecosystem where identities are coming from countless geographic locations, devices, and digital environments and also include non-person entities as well as humans.
Before discussing some fundamentals of digital identity security, we must first define what an identity is. While there are many definitions to choose from, industry-leading guidance such as NIST’s Digital Identity Guidelines (800-63-3) defines digital identity as “the unique representation of a subject engaged in an online transaction”.
Some other key terms to understand when it comes to digital identity security include Authentication, Authorization, Identity Provider (IdP), and Single Sign-On (SSO). At a high level, authentication involves verifying the identity of a user or process. Authorization is determining if a subject has permission to perform a specific action.
An (IdP) is a system that creates, maintains, and manages identity information for subjects. Lastly, SSO enables users to securely authenticate with multiple systems by using a single set of credentials. All of these can and are involved in facilitating transactions in modern digital-enabled environments.
However, to get to the point of performing a transaction there are several other activities that must occur to establish a digital identity ecosystem capable of supporting authorization decisions. These include activities such as identity proofing, which helps establish that subjects are who they claim to be and digital authentication, which helps establish that a subject accessing a digital service can utilize authenticators as needed that are associated with their identity.
Authenticators could be as simple as a username and password or in multi-factor environments (which are universally recommended to bolster security) can include things such as SMS passcodes, one-time PINs, and physical tokens.
The reality is that identity exists in a lifecycle, whether you’re referring to a person or a non-person entity. As described in the book “An Overview of Digital Identity Lifecycle”, some of the key activities involved particularly for people include creating an identity, provisioning an account, authenticating, managing access or de-provisioning access. These activities are typically associated with where the individual is in the workflow and what activities they’re performing.
Another challenge many organizations wrestle with is the fact that we live in an increasingly complex interconnected environment. This applies whether you have multiple systems internally to your organization or you’re interacting with external systems owned by customers, business partners, and others you may engage with. This is where the concept of Federation comes into play. Federation facilitates the relationship between organizations or systems when it comes to digital identities and their associated lifecycles and permissions.
While this barely scratches the surface of an incredibly dense topic, of which there are entire tombs of information written, it helps set the stage for a basic understanding. One may ask why does this matter?
First is the reality that digital identities are absolutely key to our modern digital business ecosystem. It ceases to function without a proper understanding and implementation for digital identities. However, the stark reality is that many organizations are failing when it comes to properly implementing and securing the digital identities associated with their systems. For example the Verizon 2021 Data Breach Investigations Report points out that 61% of breaches have been attributed to compromised credentials.
In the push to secure our digital ecosystem through implementing Zero Trust principles and architectures, organizations must mature their digital identity practices. Digital identity is at the core of our online transactions and interactions and if we don’t properly set the foundation, we are living in a house of sand that will continue to crumble due to malicious actors’ activities.
Want more cybersecurity insights? Visit the Cybersecurity channel:
