Managing Identity in Cyberspace (and everywhere else….)
Identity, in today’s digital world, is a continuing war between attack and defense.
Moving critical business operations online or into the cloud provides faster and more efficient services for customers, partners and employees. However, this source of enormous efficiencies, growth opportunities and cost savings also creates risks — enterprise system penetration, account hijacking and all the other assorted permutations of identity theft.
Since identity management constitutes risk — in many cases, high risk — prudence requires it be fully integrated into the enterprise risk management paradigm.
The National Institutes of Standards and Technology (NIST) SP 800-63-1 refers to identity as the collection of attributes sufficient to uniquely identify the individual to whom the identity refers.
At its most basic, the identity job involves the processes which enable the right users to access systems, applications and data. It also must ensure the enterprise can accurately assign responsibility for access and associated actions, including non-repudiation.
These processes fall into three stages:
- Identity creation, identity proofing, and electronic credential issuance
- Authentication (electronic credential use)
- Identity change management
What might seem a simple, straightforward task is, in reality, an enormously complex and constantly evolving responsibility. The level of effort appropriate at each stage is defined by the risk presented by the information or the business process being protected.
For example, the degree of assurance in identity proofing does not necessarily correlate to the “strength” of a credential that should be required for authentication.
To illustrate: if an enterprise offers a service in which users can enter and retrieve sensitive data, the enterprise may not need to know the real identity of these users. However, it may need to provide strong access credentials, such as two-factor authentication, to ensure that only the person who entered the data can retrieve it and to establish non-repudiation of activities performed by the user.
This four-part series by Brent Williams, Chief Technology Officer for Anakam Identity Services, outlines the elements a company should consider in approaching identity in order to protect its most valuable corporate assets. It all starts with building identity for your enterprise, which we will address in our next blog.
In the interim, if you want to talk to an Anakam specialist about identity management, please send us an e-mail. If you are interested in learning more about Equifax technologies and analytical services, please sign up for our monthly newsletter.
Recommended For You
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]
When Marketing, Sales, Credit and Collections are not in Lock Step the Risk of Something Going Wrong Increases
BusinessConnect helps departments work better together to minimize risk There’s a right way to do things, and then there’s real […]
It’s official: siloes don’t work. That’s why Equifax designed BusinessConnect™ to align three important revenue functions—Sales, Credit and Collections—all through […]