The weakest link in the identity chain is no longer authentication; it has moved!
The identity chain has many links (Identify, Provision, Authenticate, Federate, Manage, De-Provision), and for years the reliance on passwords has made authentication the weakest link. The use of passwords for user authentication is often the one piece of the cyber security system whose creation and safety is left in the hands its users; rather than being entrusted to its designer and administrators. Unfortunately, however, those users remain resolutely attached to passwords like ‘12345’ or ‘password.’ As a result, organizations are adopting stronger methods of authentication, such as multi-factor, and considering alternatives to passwords altogether. These investments are costly and need to be protected.
Standards bodies are reacting to the shifting weakness
The National Institute of Standards and Technology (NIST) is updating Special Publication 800-63 to establish that identity, authentication, and federation each have separate assurance levels. Previously, all three concepts were blended into a single assurance framework, that failed to surface the shift in weakness for organizations that invested heavily in stronger forms of authentication without addressing identification and federation. Today the standard recognizes that all three capabilities need to be individually assessed for assurance based on the nature of the business transactions and the relationship to the user population in question. Identity proofing and federation each have their particular challenges.
Repeated large-scale breaches complicate identity proofing
For Identity, proofing has become increasingly challenging because of the number of system breaches containing Personally Identifiable Information (PII) and the “Doxing” of that information from public sites. Doxing is the practice of aggregating PII about an individual using publicly available information, social networks and stolen information to create a 360-degree profile of a target. The trend is for data elements used for proving the identity of users in consumer applications, as well as some enterprise systems, to become commodity items, traded and sold, making it easier than ever to impersonate someone else’s identity.
The combined toxic mix of ease of use, casual PII protection practices and expanding revenue sources for cyber criminals, is destroying the trust in digital identity that is essential for conducting digital business.
Federation is weakened by the cloud
Federation can undermine the chain of overall identity assurance when one party’s understanding and treatment of identity assurance is very different from another’s. Massive damage is caused when identity information is leaked or stolen, is lasting, and can potentially affect millions. So what’s happening when your employees are putting valuable intellectual-property on file sharing sites? Even if you approve, what types of identities, from other sources (Google, Facebook, Yahoo, Microsoft), are linking to those files and what levels of assurance are they managed to? The weak link in the chain cannot be a mystery!
Respond by identifying the weakest link in your digital identity chain
Addressing the challenge starts with understanding the business. The Chief Security Architect role, in a chartered architecture function, has a view of both the business and technology and understands the assurance level concepts well enough to make the right decisions for the organization. So, engage your security architecture group or modify their charter to assess transactional patterns and establish risk tolerances.
Identity assurance is not just about mitigating cyber risks
Identity assurance is not just about mitigating cyber risks; it’s about connecting and enhancing the experience of customers and other constituents of your organization! An increasing number of organizations are aligning with the concepts of NIST 800-63 but fail to build the corresponding ‘business transaction matrix’ to know where to use assurance levels and in what combination.
The makeup and diversity of constituents dictate the assurance level threshold to be met. Initially, visitors to a website may only need to save their preferences. These potential customers will not need to be vetted in-depth straight away. As the association, interaction and data privacy requirements elevate, the assurance of identity needs to graduate to a higher level and meet the increased thresholds for proofing and authentication.
If you’re selling unregulated products, it’s important to have customer persistence assured by strong authentication; this supports revenue growth through a continued trustworthy relationship that includes contact information. Do you care if the person is who they claim to be? Perhaps you only need basic assurance for identity but stronger assurance for authentication. In this case, can you trust a social network to assert an identity? Do you trust them to authenticate your customer continually?
Understand your audience for identity proofing
Profile your target audience and determine what is available to be used for verification and what’s acceptable from the evolving set of technology solutions–this is an exciting space attracting innovation that includes, for example, facial recognition from social media sources. Look at the threat profile for your organization, in collaboration with your security architecture group, and determine if your choice of technology is adequately addressing fraud.
Don’t forget how important email is in verifying identity, resetting passwords, and managing tokens. Have you implemented trustworthy email for your brand yet? If you haven’t heard of protocols like “DMARC” you should research its potential to support your overall Identity and Access Management architecture.
Look into the promising value of identity ecosystems
President Obama signed a Presidential Directive in 2011 promoting a “National Strategy for Trusted Identities in Cyberspace.” From that program (run out of NIST) the Identity Ecosystem Steering Group was commissioned to oversee a trust framework and standards for trusting other sources of upstream authentication and identity assertions. This Identity and Access Management pattern leverages trustworthy credentials or allows you to become a source of identity assurance with a trust framework assessment and certification. The framework addresses both identification and authentication.
Review your legal agreements for federation language and indemnification
Do you have the proper association to industry trust frameworks when you are the source of authentication and when you are the receiver of identity services? Ask for the right level of accountability and don’t overpromise what you are providing for levels of identity to your downstream partners! In most federation arrangements there is a split liability based on the nature of an attack and which assurance levels were in place. Your master services agreement should clarify that responsibility. Alternatively, hold your new ‘Identity as a Service’ provider accountable to your established level of risk tolerance.
Make sure you can see what your organization is processing in the cloud
For visibility, a Cloud Security Access Broker can keep tabs on your ever-expanding enterprise perimeter! With a view of your processing in the cloud, you can determine what is approved and where federated trusts can go. You can also marry this information with data loss prevention to establish the data associated risk and make sure the right level of identity assurance is in place. Your federation strategy is a new and evolving input to IT governance.
Sound security architecture is the key to digital identity assurance
In the end, your standards and architectural principles are the way to ensure your strategy is governed and implemented. Make sure they’re up-to-date with the right industry references like NIST 800-63 and align your business transactions categorically to them! Security principles, defined by the Security Architecture function, are an efficient means of establishing what’s important and communicating that in easy to govern terms. If you don’t have these established yet, Identity Assurance is the place to start as a failure here undermines all other security investments. Architectural principles deputize the organizational roles responsible for screening and sizing your business solutions portfolio. Arm them with the tools necessary to identify business requirements for digital identity assurance!