It may be the most fundamental of all existential questions: Who am I?

In the physical world, the answer varies given the multiple roles we play in our family, professional and social lives. In the digital world, we often create our own digital identity and shape it with the choices we make online.

And that’s a big cybersecurity problem. Identity and access management (IAM) isn’t just an element of security; it’s at the very core of it. The goal of any security solution is to empower defenders and keep attackers out — or at least to detect threats and limit their impact. Doing so first requires knowing who’s online.

Connecting the Real World to the Digital World

As the well-known speaker Jacoba Sieders noted, identity is “deep, broad and large.” Identity has as many facets as a diamond and appears different depending on the angle you view it from. In many ways, it’s more art than science.

To connect the real world to the digital world, we can create digital identity models. These logical models represent a person with different attributes, characteristics and goals. Subsets of these can be related to different contexts — for example, buying goods at a company, working for an enterprise, etc. — and are often referred to as personae.

The persona in an IT environment would incorporate attributes assigned to that entity, such as name, organizational unit and unique identifier, to reliably connect the digital identity with the real-world identity. This persona would also include assigned entitlements, user accounts, and access rights, such as Active Directory group memberships, SAP roles and Lightweight Directory Access Protocol (LDAP) groups.

Reuse Your Digital Identity Models

In the digital world, who you are determines what you can do, where you can go and how much freedom you have to access functions in the enterprise; it’s the security equivalent of “Halt! Who goes there?”

Not only are digital identity models useful, they are also reusable. When you craft a model, you create processes and procedures around a persona. Is this user a joiner, mover or leaver in the organization? Is he or she changing positions? Relevant technical support can then be built around processes such as provisioning, authentication and authorization.

Rinse and repeat for other entities, such as servers, applications, smart meters and other internet of things (IoT) devices. Even if you have to adapt some technology, the model should still stand, and you’ll end up with better identity management.

Identity Is at the Heart of Cybersecurity

Last year, I attended the KuppingerCole European Identity and Cloud Conference where I met Pamela Dingle, one of the founders of the Women in Identity group. With growing support for women in the cybersecurity industry, I was curious why there was a need for a special group centered around identity. The conversations I had solidified in my mind that everything in security is related to identity.

These wise women are not operating in a silo, but instead are sharing ideas and experiences that get to the heart of cybersecurity. In addition to Pamela and Jacoba, I’d like to thank Barbara Mandl, Vivian Haag and Kim Cameron — author of “The Laws of Identity” — for sharing their expertise.

As the Charter of Trust expands and more major companies sign on to protect our digital world, it’s important to remember that identity and access management is critical to the foundation.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…