It may be the most fundamental of all existential questions: Who am I?
In the physical world, the answer varies given the multiple roles we play in our family, professional and social lives. In the digital world, we often create our own digital identity and shape it with the choices we make online.
And that’s a big cybersecurity problem. Identity and access management (IAM) isn’t just an element of security; it’s at the very core of it. The goal of any security solution is to empower defenders and keep attackers out — or at least to detect threats and limit their impact. Doing so first requires knowing who’s online.
Connecting the Real World to the Digital World
As the well-known speaker Jacoba Sieders noted, identity is “deep, broad and large.” Identity has as many facets as a diamond and appears different depending on the angle you view it from. In many ways, it’s more art than science.
To connect the real world to the digital world, we can create digital identity models. These logical models represent a person with different attributes, characteristics and goals. Subsets of these can be related to different contexts — for example, buying goods at a company, working for an enterprise, etc. — and are often referred to as personae.
The persona in an IT environment would incorporate attributes assigned to that entity, such as name, organizational unit and unique identifier, to reliably connect the digital identity with the real-world identity. This persona would also include assigned entitlements, user accounts, and access rights, such as Active Directory group memberships, SAP roles and Lightweight Directory Access Protocol (LDAP) groups.
Reuse Your Digital Identity Models
In the digital world, who you are determines what you can do, where you can go and how much freedom you have to access functions in the enterprise; it’s the security equivalent of “Halt! Who goes there?”
Not only are digital identity models useful, they are also reusable. When you craft a model, you create processes and procedures around a persona. Is this user a joiner, mover or leaver in the organization? Is he or she changing positions? Relevant technical support can then be built around processes such as provisioning, authentication and authorization.
Rinse and repeat for other entities, such as servers, applications, smart meters and other internet of things (IoT) devices. Even if you have to adapt some technology, the model should still stand, and you’ll end up with better identity management.
Identity Is at the Heart of Cybersecurity
Last year, I attended the KuppingerCole European Identity and Cloud Conference where I met Pamela Dingle, one of the founders of the Women in Identity group. With growing support for women in the cybersecurity industry, I was curious why there was a need for a special group centered around identity. The conversations I had solidified in my mind that everything in security is related to identity.
These wise women are not operating in a silo, but instead are sharing ideas and experiences that get to the heart of cybersecurity. In addition to Pamela and Jacoba, I’d like to thank Barbara Mandl, Vivian Haag and Kim Cameron — author of “The Laws of Identity” — for sharing their expertise.
As the Charter of Trust expands and more major companies sign on to protect our digital world, it’s important to remember that identity and access management is critical to the foundation.
CTO for Identity & Access Management, IBM Security Europe
Angelika has extensive Security and Identity & Access Management experience, with 30+ years in security, and 20 years with a focus on IAM. She joined IBM...