It may be the most fundamental of all existential questions: Who am I?

In the physical world, the answer varies given the multiple roles we play in our family, professional and social lives. In the digital world, we often create our own digital identity and shape it with the choices we make online.

And that’s a big cybersecurity problem. Identity and access management (IAM) isn’t just an element of security; it’s at the very core of it. The goal of any security solution is to empower defenders and keep attackers out — or at least to detect threats and limit their impact. Doing so first requires knowing who’s online.

Connecting the Real World to the Digital World

As the well-known speaker Jacoba Sieders noted, identity is “deep, broad and large.” Identity has as many facets as a diamond and appears different depending on the angle you view it from. In many ways, it’s more art than science.

To connect the real world to the digital world, we can create digital identity models. These logical models represent a person with different attributes, characteristics and goals. Subsets of these can be related to different contexts — for example, buying goods at a company, working for an enterprise, etc. — and are often referred to as personae.

The persona in an IT environment would incorporate attributes assigned to that entity, such as name, organizational unit and unique identifier, to reliably connect the digital identity with the real-world identity. This persona would also include assigned entitlements, user accounts, and access rights, such as Active Directory group memberships, SAP roles and Lightweight Directory Access Protocol (LDAP) groups.

Reuse Your Digital Identity Models

In the digital world, who you are determines what you can do, where you can go and how much freedom you have to access functions in the enterprise; it’s the security equivalent of “Halt! Who goes there?”

Not only are digital identity models useful, they are also reusable. When you craft a model, you create processes and procedures around a persona. Is this user a joiner, mover or leaver in the organization? Is he or she changing positions? Relevant technical support can then be built around processes such as provisioning, authentication and authorization.

Rinse and repeat for other entities, such as servers, applications, smart meters and other internet of things (IoT) devices. Even if you have to adapt some technology, the model should still stand, and you’ll end up with better identity management.

Identity Is at the Heart of Cybersecurity

Last year, I attended the KuppingerCole European Identity and Cloud Conference where I met Pamela Dingle, one of the founders of the Women in Identity group. With growing support for women in the cybersecurity industry, I was curious why there was a need for a special group centered around identity. The conversations I had solidified in my mind that everything in security is related to identity.

These wise women are not operating in a silo, but instead are sharing ideas and experiences that get to the heart of cybersecurity. In addition to Pamela and Jacoba, I’d like to thank Barbara Mandl, Vivian Haag and Kim Cameron — author of “The Laws of Identity” — for sharing their expertise.

As the Charter of Trust expands and more major companies sign on to protect our digital world, it’s important to remember that identity and access management is critical to the foundation.

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…