Have you ever wondered where that pesky “username and password” login came from?
You’ve certainly pounded your keyboard once or twice trying to remember one of the ten thousand passwords it seems like you’ve had to remember, and of course, have forgotten (Was it “MrPiggles” or “password123”?).
Well, you can thank engineers from MIT in the early 1960’s for that sometimes maddening scenario that has frustrated users, and helpdesk support, the world over for over half a century.
In those early days of computing, engineers working on the Compatible Time-Sharing System (CTSS), an operating system that helped pioneer services we’re more familiar with today, such as email, instant messaging, file sharing, and virtual machines, implemented what is considered the first user password login functionality. This idea to logically “protect” computer user accounts is one of the earlier forms of digital identity management.
Today, identity management is everywhere due to the ubiquitous nature of technology in our lives.
From passwords, to physical tokens, to smart cards, to even our own physical biometrics, we use data elements tethered to our identities to do almost every digital task that has now become commonplace; accessing our bank account, enrolling in a government service, ordering a package from Amazon, almost every digital transaction we conduct leverages this identification data.
But as Peter Parker’s Uncle Ben once said, “With great power comes great responsibility.”
Each individual’s identity is very valuable, and protecting that data is paramount to its digital stewards.
Here are a few best practices on how organizations and technology professionals can do their part to keep identities safe and secure.
What is Identity Management?
Before we speak about how to conduct “good” identity management, we need to know what it is in the first place.
According to Webster’s dictionary, identity is “the distinguishing character or personality of an individual.”
In the computing world, these attributes come in many forms, typically bifurcated between biographic traits (information about you), and biometric traits (information that is you).
“Identity management” can be defined as the practices surrounding how identity data is managed and used.
Questions such as how you store it, how you transact it, who has access to it, how you hide it, and how you protect it all determine the scope and quality of the controls and protocols put in place to manage such identity data.
Regulations and Compliance
The good news for security professionals today is that because identity data has been known to be a valuable data resource for a long time, they have decades of research and work on the topic on which to rely for guidance.
Government and industry have created well-established standards and regulations that technology purveyors can reference to operate sound identity management controls.
The National Institute of Standards and Technology (NIST) is one such government organization that has made available to the public vast amounts of data dedicated to identity management controls and procedures.
NIST is by no means the only global organization to establish such standards and guidance, however, as it represents just one of many reputable entities and security frameworks to provide such direction on identity management standards. Other notable entities and frameworks include The International Organization for Standardization (ISO), General Data Protection Regulation (GDPR), and the Cybersecurity & Infrastructure Security Agency (CISA).
Security professionals are compelled to not only familiarize themselves with these popular standards and frameworks but also implement them to ensure they’re designing, building, and operating systems up to specification.
Encryption, or the practice of securing data and communication, is a key principle governing the effective maintenance and protection of data.
Though cryptographic concepts have been around and practiced since ancient times, the advent of computers has produced machines capable of processing and “cracking” (decrypting encrypted data) data on magnitudes beyond what the ancients could ever conceive.
This ongoing cat-and-mouse game of encryption and decryption necessitates the emergence of even stronger cryptographic algorithms to combat vulnerabilities present in legacy methods.
The primary vectors of maliciously extracting data, particularly identity-related data, are when it is at rest or stored and when it is in transit or communicated. Security engineers need to ensure they are incorporating up-to-date encryption protocols on this data to mitigate and thwart the constant threats lurking on the Interwebs.
Malicious actors have more tools and resources at their disposal today to uncover user passwords than ever before. These passwords can be bought on the Dark Web, uncovered through man-in-the-middle cyber-attacks, and simply taken from good old-fashioned social engineering attempts.
But a username and password are only one potential factor used to secure identity-based accounts.
Today, information systems have the ability to employ multiple factors to protect identity assets and accounts, and security professionals would be wise to employ this method of account protection.
A password is merely one thing you “know.” Additional factors of security can, and should, include data elements such as fingerprint or facial biometrics (what you “are”), and physical media such as encrypted certificate-based smartcards and tokens (what you “have”).
The potential risk for account compromise is drastically reduced when these additional factors of authentication are leveraged, mitigating total compromise even if one or more factors have been conceded.
Secure identity management is more than just employing sound encryption methods.
It extends to good access control policies to make sure only those authorized to access data are able to do so, proper auditing techniques to be able to identify an immutable “paper trail.” and hosting the data on infrastructures and architecture that is capable of effectively segregating and quarantining critical identity data into manageable resources.
Though encryption is a necessity and can be done manually, many cloud service providers now provide automated encryption “key” resources in which to manage encrypted data resources coherently and efficiently.
Making oneself familiar with these technology resources is a key component to maintaining a secure data infrastructure.
Organizations can no longer rely on hoping their workforces make good decisions when it comes to identity management.
Even the best of us are susceptible to clicking on a seemingly innocuous hyperlink in an email or navigating to a website that seems just fine.
It is integral for these entities to employ modern training resources for their staff with regard to the protection of data.
Many companies offer these types of resources that help employees understand the threats constantly vying for their attention and, worse yet, the “keys to the kingdom” that would give them nefarious access to important identity information and databases.
These resources will train staff on the latest threats, tactics employed in social engineering via email and social media, and best ways to proceed when a user encounters such potential threats.
An organization is only as secure as its weakest link, and more often than not that link may not be an unpatched firewall and an out-of-date anti-virus platform but a human being.
It is imperative organizations ensure methods and procedures used today to protect data are put in place with a plan for the future as well.
Though many security standards and frameworks exist today that make for great templates in which to architect a security identity management infrastructure, as they say in the industry, “You’re only as secure as your last anti-virus definition update”.
Industry technologies and security paradigms change, and often relatively quickly, and malicious actors out in the world are aware of this.
They are constantly picking and prodding information systems, from mom-and-pop store stores in the breakroom closet to nation-state intelligence agencies – all the while looking for out-of-date security controls in place in which to exploit.
Security personnel and officers need to make sure not only are they implementing compliant and modern security controls and updating those controls and resources on a regular basis but that they also have documented plans in place to compensate for the ever-evolving industry and technologies in it.
This may even mean information security officers getting up-to-speed on the post-quantum computer apocalypse when it’s predicted quantum computers may be able to crack most—if not all—conventional encryption protocols by 2030.
Identity management is not only about preventing bad actors from accessing unauthorized data but also ensuring that the users who have provided that data, whether under consent or not, retain privacy and sovereignty over their data.
The global unauthorized proliferation and misuse of user identity data remains an unfortunate reality, and it is up to the identity data managers, in conjunction with government policies, to enact policies, procedures, and protocols that inform individuals not only of their rights in regard to their data but how that data is used.
In recent years many governments worldwide have put in place regulations to help enforce such concerns, such as the EU’s aforementioned GDPR, South Africa’s Protection of Personal Information Act (PIPA), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Though the United States does not yet have an overarching federal policy per se, many states have introduced their own policies, such as California’s Consumer Privacy Act (CCPA), Virginia’s Consumer’s Data Protection Act (VCDPRA), and Illinois’s Personal Information Protection Act (PIPA), with similar legislation in process in many others.
Organizations must be well-informed of these policies, especially if they conduct business in any of these jurisdictions, which is very likely with a lot of their software-as-a-service (SaaS) platforms available globally.
Although in a perfect world, identity data breaches would never happen, it is a regrettable all-too-common occurrence in our expansive digital economy.
Many Fortune 500 companies such Marriott Hotels International, Facebook, Coca Cola, and Yahoo have surrendered millions or more pieces of identity data into the wild as a result of malicious cyber-attacks.
Governments aren’t immune to this cyber invasion either. In 2015, the United States Office of Personnel Management data breach cost the identity data of approximately 22.1 million records, one of the largest data breaches in government history.
And though many of these cases involved bad identity management security practices and procedural failures, for many organizations, it may not even be a matter of if but when.
Being prepared to respond to such a potential identity data breach is an often-overlooked critical component of resolving the incident while incurring the least damage possible.
Organizations need to have effective incident management plans already in place before an attack has occurred to respond to these circumstances quickly and efficiently.
No one wants to go through these types of events, but as we know, even the seemingly most reputable and prepared organizations are still susceptible. Having a good incident management plan will go a long way in mitigating the fallout of such an event and possibly eliminating it from getting worse.
This list is by no means exhaustive when it comes to identity management best practices, but the best practices delineated above can give a good idea of the breadth and scope organizations and security professionals need to be aware of when they conduct business and operations that affect user identity data.
Companies and organizations must ensure they implement adequate safeguards to protect against malicious activity, even if it means soliciting outside security experts and companies.
The cost of “cleaning up” from the consequences of a data breach, especially when it involves identity-related data, is exponentially higher than the cost of putting sound controls and personnel in place to prevent it.
Just ask any of the chief security officers of any of the Fortune 500 companies mentioned above.