Identity Management Day: Key players identity-centric security top tips

With digital identity in the spotlight, we’ve gathered best practice advice from a selection of leading identity management players

Posted 13 April 2021 by Christine Horton

Today is Identity Management Day (yes, it’s a thing) which aims to educate business leaders and IT decision makers on the importance of identity management. This includes key components including governance, identity-centric security best practices, processes, and technology, with a focus on the dangers of not properly securing identities and access credentials.

As such, we have gathered some best practice advice around implementing identity solutions from some key players in the identity management space.

Susan Morrow, head of research and development at Avoco Secure says it’s important to be flexible in your approach to identity. Prescriptive systems do not work for mass adoption across wide demographics.

“Identity networks are a missing layer in government that can solve many problems inherent in persistent identity accounts. ID networks offer standard protocol-based, offer easy on-boarding for government services, and offer a dynamic way to interact with customers. At one end of the spectrum, these networks can provide the verified data needed to create assured accounts, at the other, they can re-use existing verified data in a ‘verify, don’t store’ zero trust identity model to check customers as they use a service, In real-time.

Chanel Chambers, senior director, product marketing management, Tanium suggests practitioners focus on three areas around identity management.

“First, access control and the principle of ‘least privilege’ which gives users access only to the resources they absolutely need to do their jobs. We’ve seen cases where large, sophisticated enterprises didn’t realise that more than 20,000 of their users had administrative rights they shouldn’t have had.

 “Second, have a process in place to track lateral movement paths. We know most cybercriminals get in via stolen credentials. Make sure you know who has access to what systems and data and the actual paths of lateral movement across your organisations. This also helps organisations prioritise patching.

“Finally, zero trust tells us to trust no one and verify everything. If your IT infrastructure doesn’t assume trust, it will require that each user and each point of access be re-verified.”

Identity takes a village

Donna Joyce, public sector, charities & NfP account director at Auth0 says identity isn’t just an IT problem. Rather it takes the whole business to find a solution. Similarly, customers that try to build an identity solution themselves often end up failing or taking too long to deliver.

“So many of our customers took 12 or 18 months to go build something, and eventually decide to buy,” she said. “Username and password (the login box) is pretty straightforward but that’s just the beginning. Then you start thinking about integrating multiple services. If I’m ordering a recycling bin, I may not need step-up authentication. But if I’m trying to change my billing address or pay council tax, I may want an extra check to make sure it’s really me. It gets really complex really fast and you should be focused on delivering great services for your citizens.”

Elsewhere, Dave Downs, senior developer at Condatis believes standards are standards for a reason; the more you can stick to them, the easier your system will be to implement, maintain, and expand. 

“It can be tempting to think that a standard almost works for you but that you can improve it, modify it, or do something slightly custom,” he said. “That invariably leaves you in a position where you’re struggling to integrate this custom solution across your ecosystem, where you’re reimplementing custom versions of what would be standard libraries, and you’re doing it in a way that’s invariably less secure. The standards have the benefit of years, even decades, of use and refinement; make the most of that.

Meanwhile, Mikko Vuorinen, lead developer at Condatis advises organisations to think about offering reusable identity to their users.

“Allow users to use their one identity instead of requiring them to sign up multiple times,” he said. “There are centralised options like identity federation with government-issued identity providers and corporate or social identity providers that can do this. But the more exciting options are now decentralised, such as verifiable credentials. Both have valid use cases and their strengths, but the decentralised option has the most potential for re-use across systems, domains and even jurisdictions.

Authentication and trust

Jason Le-May, head of public sector sales at Okta thinks firms should look at some better alternatives to security questions.

“Security questions are vulnerable to exploitation because they rely on something the user knows – if an attacker guesses, researches, or phishes a security answer, for instance, the account is compromised,” he said.

Le-May said other measures that rely on something the user has or one of their attributes offer the highest level of assurance.

“With biometric authentication, for example, users don’t have to remember or store biometric traits like they do security answers, making them harder to compromise.” He added that with multi-factor authentication (MFA), “organisations can implement a mix of authentication factors to suit its needs, and analyze risk signals from user login attempts to determine which authentication methods are the most appropriate.”

Gus Tomlinson, digital identity expert at GBG says it is important to keep on top of your data. “Identities and the elements that can help you know and trust an identity are transient, and so your management of the identities you work with needs to be ongoing. Onboard and then continuously monitor and update the information that you hold so that you can be sure you and your customers have ongoing confidence in your digital relationships.”

Finally, Nick Caley, VP UK at Forgerock advises giving citizens the tools to control and delegate their digital identity attributes across digital services serves to enhance their trust in service providers driving engagement with digital services.

At the same time, he said “it is important to federate identity across multiple identity stores helps to create a single view of citizen needs enabling digital service personalisation. [Additionally], adaptive strong authentication helps to enhance ‘trust in person’ without added user friction.”