Managing Identity in Cyberspace: Updates
This is Part 3 of our continuing series on Managing Identities in Cyberspace. Every identity management system must have a way to change identity-related information.
A name might change as a result of marriage or adoption. An address might change. An e-mail address might change.
Individuals may need different privileges as their relationship with the enterprise evolves, or because individuals with similar identity information need to be uniquely identified. For example, an individual whose job responsibilities change may need to have identity information augmented with job-specific credentials, such as a medical license. One individual may need to have the ability to act on behalf of another individual. Additional data may need to be included for a father and a son with very similar names.
An individual might be approaching the system from two different points of view, with both points being valid. A doctor may also be a patient; a government employee a citizen; and a merchant a customer—all of these either within or across enterprises.
An identity also may need to be archived or deleted.
It is important to remember that changes in the identity have potentially significant consequences for both the enterprise and the owner of the identity. The enterprise needs to hold to several essential tenets when it comes to identity data modification. No matter who performs the changes, even if they are performed by a trusted agent inside the enterprise, all such modifications should be logged and audited. This enables the enterprise to control the risks presented by the insider threat, including identity theft, liability exposure through inappropriate actions, or theft of enterprise resources.
If the enterprise enables self-service by individuals to modify their data, such modifications should be permitted only after the individual has passed authentication at an appropriate level. For example, when using out-of-band, one-time-pass code delivery, the enterprise should only allow self-service change by an individual after they have passed an equivalent level of authentication with an alternate authentication solution.
Changes to identity data should be treated as high-risk transactions because such changes can be used for account hijacking, enterprise system penetration, and system privilege changes. Once again, all changes should be logged and audited.
Finally, the enterprise needs to perform periodic evaluations of its identity-related policies, processes, and technologies in order to stay abreast of the evolving risk environment. Actions that are innocuous activities alone, such as changing the e-mail address to which notifications are sent, may evolve into precursors of account hijacking or worse.
In our next blog, we will address authentication — using the identity.
If you want to talk to a specialist about identity management, please send us an e-mail. If you are interested in learning more about Equifax technologies and analytical services, please sign up for our monthly newsletter.
Recommended For You
As an HR professional, it’s your priority to protect employee data. You may not realize it, but responding to employment […]
The CERCA Spring Conference, held on May 16, capped a broadly successful 2018 filing season that saw tax identity theft reduced by […]
Fraudulent account activity and identity fraud are both significant drains to today’s business resources. In the era of online and mobile commerce, […]
Fraudsters are a smart group. With each fraud prevention method that’s introduced, they figure out ways to work around it. […]