Securing digital identities into the future

Author: Sumal Karunanayake, Senior Vice President Asia Pacific and Japan, ForgeRock

Gartner believes that by 2020, 60% of organisations will use active social identity proofing and let consumers bring in social identities to access risk-appropriate applications. It also predicts that by 2020 new biometric methods will displace passwords and fingerprints for access to endpoint devices across 80% of the market.

Identity is increasingly critical to the digital economy, protecting consumer privacy and providing enterprises with greater visibility into customer preferences. Historically, most businesses focused on managing the identity of their own staff. However, businesses and organisations can’t properly take advantage of mobile, cloud, or Internet of Things (IoT) technologies without a scalable and repeatable identity strategy. Without it, they have no way to identify and engage with their customers in a meaningful way — whether it be through a laptop, mobile phone, tablet, connected car, healthcare wearable, connected home device or the next great connected innovation.

Companies are now starting to use identity to transform and personalise users’ experience so that, for instance, a connected car remembers the preferences of each driver or a financial services portal offers customers a convenient overview of all their activities and accounts in one place. Digital identity is fast becoming essential for wearable technology too. Wearable devices such as fitness trackers, or healthcare monitors, offer a wide range of personalised functionality to support the user’s individual goals.

As we watch everyday items connect to the Internet, the importance of digital identities will become increasingly clear.

In its simplest form, Identity Management (IM) is the creation and administration of users and things and the rules that govern what they can do online. It answers the questions: Who (or what) are you? What can you (or it) do online?

This may sound simple, but the number of applications, devices and things involved in making these types of decisions are often quite complex. It involves taking every application (on premises and off) and externalising the identity management capabilities in order to centrally manage users and things and their sign-on and authorisation policies. For some enterprises, this often comprises hundreds or thousands of apps interacting online that must be Identity Management-enabled.

As businesses transition to a digital marketplace where their goods and services are available online and via devices, companies and governments alike are realising that their ability to secure and manage the digital identities of every customer, every prospect, and every member of the public is a fundamental requirement.

Legacy identity management (IM) was based on monolithic platforms that used static rules to make decisions. It was not designed to easily integrate with any application (on premises or off), to provide device-agnostic access, to handle large-scale populations, or to make decisions based on consumer context. In short, traditional IM is struggling to meet today’s business demands.

To connect customers and citizens to relevant goods and services in the digital age, businesses and governments instead require customer-focused identity management. The evolution from identity management to customer-focused identity management has a name: Identity Relationship Management (IRM). IRM is equipped with unique capabilities that differ from traditional identity management requirements.

To protect these identities, businesses need to implement a more robust, multi-layered security model, which uses context clues to decide whether to give access, and how much. Even with correct credentials, a login attempt from an unrecognised IP address or at an atypical time of day can trigger additional security precautions, asking security questions or texting verification codes to a user’s mobile phone, for example.

In order to protect an organisation managing increasing digital identities, security officers should:

Think externally – authenticate external contacts and customers. As each user accesses systems with multiple devices they expect an experience that is tailored to how, when and where they are accessing services.

Use a unified identity platform – which will allow a repeatable way to protect a growing number of devices.

Use open standards and technologies, supported by your identity platform – the platform needs to be reachable in a standardised way, whether the communication comes through a human or machine.

Analyse real-time behaviour and context – ensure data is encrypted and authenticated when it’s communicated between IoT devices. Check the location, time and device to ensure requests to connect are valid, warranted by legitimate business need, and consistent with past behavior.

The winners and losers in today’s digital world will be determined by how they approach the issue of identity as they develop new offerings. Those that utilise the right identity platform can quickly respond to the needs of their business, reinventing themselves to roll out new services to any device or thing more quickly than their competitors—and to seize a distinct advantage in the market.

Blast from the past?

Try our new Space Invaders inspired video game NOW

What score can you get ?