January 3, 2019 By Angelika Steinacker 2 min read

It may be the most fundamental of all existential questions: Who am I?

In the physical world, the answer varies given the multiple roles we play in our family, professional and social lives. In the digital world, we often create our own digital identity and shape it with the choices we make online.

And that’s a big cybersecurity problem. Identity and access management (IAM) isn’t just an element of security; it’s at the very core of it. The goal of any security solution is to empower defenders and keep attackers out — or at least to detect threats and limit their impact. Doing so first requires knowing who’s online.

Connecting the Real World to the Digital World

As the well-known speaker Jacoba Sieders noted, identity is “deep, broad and large.” Identity has as many facets as a diamond and appears different depending on the angle you view it from. In many ways, it’s more art than science.

To connect the real world to the digital world, we can create digital identity models. These logical models represent a person with different attributes, characteristics and goals. Subsets of these can be related to different contexts — for example, buying goods at a company, working for an enterprise, etc. — and are often referred to as personae.

The persona in an IT environment would incorporate attributes assigned to that entity, such as name, organizational unit and unique identifier, to reliably connect the digital identity with the real-world identity. This persona would also include assigned entitlements, user accounts, and access rights, such as Active Directory group memberships, SAP roles and Lightweight Directory Access Protocol (LDAP) groups.

Reuse Your Digital Identity Models

In the digital world, who you are determines what you can do, where you can go and how much freedom you have to access functions in the enterprise; it’s the security equivalent of “Halt! Who goes there?”

Not only are digital identity models useful, they are also reusable. When you craft a model, you create processes and procedures around a persona. Is this user a joiner, mover or leaver in the organization? Is he or she changing positions? Relevant technical support can then be built around processes such as provisioning, authentication and authorization.

Rinse and repeat for other entities, such as servers, applications, smart meters and other internet of things (IoT) devices. Even if you have to adapt some technology, the model should still stand, and you’ll end up with better identity management.

Identity Is at the Heart of Cybersecurity

Last year, I attended the KuppingerCole European Identity and Cloud Conference where I met Pamela Dingle, one of the founders of the Women in Identity group. With growing support for women in the cybersecurity industry, I was curious why there was a need for a special group centered around identity. The conversations I had solidified in my mind that everything in security is related to identity.

These wise women are not operating in a silo, but instead are sharing ideas and experiences that get to the heart of cybersecurity. In addition to Pamela and Jacoba, I’d like to thank Barbara Mandl, Vivian Haag and Kim Cameron — author of “The Laws of Identity” — for sharing their expertise.

As the Charter of Trust expands and more major companies sign on to protect our digital world, it’s important to remember that identity and access management is critical to the foundation.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today