Security breaches make headline news. Even the most seemingly secure and untouchable organizations are vulnerable as security measures are only as effective as the weakest link. Most recently, Equifax was compromised, potentially exposing vital information of half of all adult Americans.
When it comes to protecting digital identity, there needs to be a more sophisticated way to identify, authenticate, and trust identity information. How does your organization need to change the way it thinks about digital identity? And what measures should you take to better protect your systems and information?
Evolving threat landscape makes identity management a challenge
As hackers employ more sophisticated means to infiltrate an enterprise, organizations need to change the way they prove identity – including moving beyond password security. In Verizon’s 2016 Data Breach Investigations Report, it’s revealed that 63% of confirmed data breaches involve password attacks, including phishing or some other kind of password harvesting technique. (http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)
Once the initial breach happens, more damage occurs as the hackers harvest additional passwords to explore the enterprise from the inside, working to compromise more systems and access more information.
How this impacts your business
Passwords are not enough to protect important data. The more valuable the data, the more important it is that only the right people have access to it. To keep up with changing technologies, market conditions, and attack methods, NIST updated their Digital Identity Guidelines to provide a more robust way to approach safeguarding identity.
Version 3 of NIST 800-63 (https://pages.nist.gov/800-63-3/) was released in June. The revised guideline helps organizations by outlining methods to adequately evaluate requirements to authenticate users and evaluate identity management tools. The previous version, NIST 800-63-2, had one measure of identity effectiveness. This revised guideline now outlines three individual measures, providing more clarity how to measure trust of digital identities. Instead of a single measure for Levels of Assurance, three new measures are defined. They are:
- Identity Assurance Level (IAL) : How well do you know that the person creating this account is the real person he or she claims to be?
- Authenticator Assurance Level (AAL): How well do you know that the person accessing this service is the same person that created the account?
- Federation Assurance Level (FAL): How well do you trust the identity provided to you by a third party Identity Service?
Creating your Identity Management approach
- Determine what types of users interact with your various systems. Typically an enterprise will have employees, customers, vendors, partners, and perhaps other user types.
- Map business case and levels of access for each user type. Define what information each role needs to have access to as well as the level of trust that the person accessing it is the person that should be accessing it. If you are not going to require a user to have a high level of assurance, then you are going to restrict the data he or she has access to.
- For instance, you trust your employees more than you trust your partners, perhaps your partners more than vendors, and vendors more than customers. A market system would require a different level of trust than your internal development system with all of your intellectual property.
- Determine how your manage access, and verify and protect digital identity. Some questions to ask include:
- Do you need to look at someone’s Driver’s License in person before authorizing access to high value information, or is an email address sufficient for accessing lower value information?
- Do you need Multi Factor Authentication (MFA) before allowing access to critical assets, or is password security sufficient for routine access?
- Important note on MFA: When evaluating MFA vendors, NIST 800-63-3 defines and puts into context the capabilities they need to provide. Some methods of authentication that are in common use today are no longer considered safe – specifically SMS one-time passwords. If you are currently using SMS or email to send one-time passwords to verify authentication, consider transitioning to push or soft token technologies.
- Do you need a dedicated on-premise identity management system, or can you rely on a third party Identity as a Service (IDaaS) provider such as Google, Facebook, or Microsoft.
Identity Management is a balancing act
The onus is on your company to keep information secure – and to make sure those that interact with your systems are protected. It’s also important for identity management systems to enhance – not limit – your enterprise’s productivity. We can help you understand your needs for identity management. Contact us to learn more.