Our digital identities play a crucial role in modern business and often are the difference between a secure and productive operation and a deficient one. Identity can be an enigmatic concept to many but can be plainly defined as a digital representation of our virtual selves.
Digital identity is not limited to only individual end-users, but also extends to physical devices such as smartphones, laptops, networking equipment, and more. Each entity has a unique digital identity exclusive to itself. Going Modern and securing our digital identities is more critical now than ever in the contemporary volatile digital landscape. It is crucial that they are properly configured and secured.
Getting digital identity right can be a challenge, but it is attainable by addressing the distinctive components that comprise a modern digital identity. We define these components as the pillars of digital identity defined by two overarching areas: Bringing Identity to a modern state and Securing Identity.
When these dynamic pillars are properly configured, our digital identities will operate intelligently, protecting users in real-time. That said, let’s dive into the specifics of each pillar of digital identity.
Remodeling Identity to a Modern State
When we consider updating identity to modern, it is critical that we first address bringing our Identity Provider (IdP) to a modern state. Many businesses will have multiple IdPs (examples include, Active Directory, Azure AD, Ping Identity, Oracle Identity Management, AWS Identity Services, etc.). When you’ve updated to a modern identity, IdPs should work in tandem to establish robust digital identities, backup data, and provide visibility into authentication.
The overarching goal of bringing identity to a modern state is to integrate legacy/ modern identity platforms, applications, and tools with a modern IdP. These integrations must employ modern integration protocols such as System for Cross-domain Identity Management (SCIM), SAML 2.0, and OAuth2.
To begin a modern digital identity journey, a business must invest in an IdP with the following capabilities:
Single and Multi-Cloud Environments
A modern IdP will possess capabilities that go beyond the offerings of a legacy IdP. The modern IdP must have the capability to integrate with single and multi-cloud environments, effectively streamlining the management of identities regardless of location.
When hosting an identity environment, your business is responsible not only for that environment but also for the adjoining identities. Consequently, you’re also responsible for architecting it and building out the resilience when hosting an identity environment.
The resilience piece refers to the ability to maintain dynamic identity data if a piece of the identity infrastructure fails. In this event, another should be able to compensate. The utmost goal of creating resilience is to create an environment with reliable and consistent uptime. This applies not only to the server but also to the data in your environment, network connectivity between servers, DNS, application integrations, etc. A modern IdP will account for all of these. If one component fails, your system should intelligently identify the deficiency while copying and sharing any data with another region, ensuring that your data remains fully intact, and users remain operational and productive.
Modern IdPs like Azure AD tout 99.99% uptime with about only a total of five minutes of downtime per month. Such resilience provides a level of security that ensures your company can function confidently without break in productivity.
Processing Authentication Requests
When you’ve updated your digital identity to a modern state, the capacity to handle a high number of authentication requests expands globally. Modern IdPs will offer this kind of authentication-as-a-service, empowering users to efficiently access needed resources and exonerating admins from tedious operations.
Modern IdPs deploy modern authorization capabilities such as MFA, CBA, SAML 2.0, and OAuth 2.0 to determine the unique resources a user is permitted to access and the resources that are restricted.
Self-Service User Experience
With a modern IdP, users can natively take actions themselves in the cloud – this was not possible with an on-prem-only infrastructure. Tasks like password resets become possible for an end-user to achieve without assistance from an IT administrator.
A modern IdP will also allow for end-user application management via modern workflows. The self-service capabilities of a modern IdP can eliminate the volume of low-level IT tickets, removing waits for end-users and freeing up IT admins for larger and more complex tasks.
Auditing and Monitoring
A critical difference between a legacy IdP and a modern IdP is evident in the auditing and monitoring process. Legacy IdPs simply do not efficiently log identity events adequately, whereas a modern IdP will log events in real time, constantly running and recording data in the background.
For instance, with a modern IdP, it is trackable and instantly visible anytime a user authenticates in your environment. Furthermore, if a user receives access to a resource, admins have the capability to review audit logs to confirm the user has, in fact, received access to a group or application.
A difference maker for modern IdPs when it comes to auditing and monitoring is their ability to integrate with external sources. Most legacy models were unable to achieve this without a third-party tool (which more often than not uses very generic logs). Simply put, a legacy IdP won’t allow you to see the full picture.
Through contemporary auditing and monitoring practices, modern IdPs have the ability to catch activities that may put a user at risk in real time. The functionality works in conjunction with other components of a modern digital identity such as conditional access with user risk and sign-in risk policies. A modern IdP will also allow for the ability to view the location a user logs in while leveraging user signals to create intelligent monitoring and logging.
Securing Digital Identities
Apart from updating identity, the process of securing digital identities encompasses it’s own individual pillar, as it addresses unique challenges.
One of the foremost modern techniques in securing digital identity is establishing passwordless authentication. This process can be achieved by applying fundamentals like multi-factor authentication, authenticator app/FIDO2 Key, biometrics, and the configuration of conditional access policies. However, building a passwordless environment is not as simple as flipping a switch, it is a journey that requires a great deal of planning and technical acumen, not to mention the buy-in from end users. You can find out more about how you can secure your identity with passwordless technology here.
Privileged Access Management (PAM)
Privileged Access Management (PAM) is a framework to ensure that users and administrators in your environment receive only the necessary access needed to perform the functions of their job securely. Reducing access to privileged permissions helps reduce the likelihood of a compromise.
A PAM strategy can be achieved by first understanding the users, applications, and administrators with excessive permissions in your environment. Then, understanding why, how, and if those users need permissions. Businesses can then use tools to provide limited access within their environment. PAM solutions provide features such as:
Shared password storage
Enforcing strong encryption and automatic population
Password check-in/check out
Ad-hoc password management
Privileged session monitoring and logging
Endpoint privileged management
Application risk management
The processes for identity governance within your environment are crucial. When we think of governance it is important to consider lifecycle management (the evolution of when an employee joins a business – up to the moment they exit a business). With a modern IdP, the capability exists to natively automate many lifecycle management processes. Below are the foremost elements to consider:
Entitlements management ensures that users receive appropriate access to the correct resources when they are initially onboarded. Playing a critical part in identity governance, properly managing entitlements ensures that identities are properly configured and secured from the moment a user lifecycle begins.
Role-based access controls (RBAC) can be defined as the methodology used to restrict or grant unique permissions to groups or individuals within a tenant. The idea is to limit access to highly sensitive areas of your environment while giving certain identities just enough access to sufficiently carry out specific duties. RBAC can either restrict or permit access to your environment based on a group or user’s scope role assigned by Global Administrators.
Attribute-based access controls (ABAC), on the other hand, takes the idea of RBAC a step further while providing a level of automation. Not only does ABAC consider a user’s role when granting or restricting access to areas of an environment, but it intelligently segments using specific components of the user’s identity (i.e. location, team, hardware). ABAC works intelligently with lifecycle management as it can be configured to remove the attributes that allow or restrict permissions when a user is offboarded.
Continuous Access Reviews:
The properties contained in a digital identity are defined on the back end as well as who the user is visually (i.e. location, role, phone number, etc.). Based on these properties, individuals can receive access to specific resources necessary for productivity. Identity governance hopes to achieve a concept known as “least privileged access – a security strategy that only allows end-users permissions to the unique resources specifically needed for their productivity. Conducting continuous access reviews helps administrators ensure that identities are properly managed and that their access is aligned with the attributes held in their identity.
Going modern and securing your identities will ultimately position your group for a safer and more productive environment. By following the four pillars of identity you’ll ensure that your digital identities are operating intelligently and protecting users in real-time – allowing your IT team to spend less time managing identity and more time innovating. For your end-users, increased self-sufficiency will mitigate unnecessary downtime often caused by legacy IdPs and ultimately improve efficiency.
Contact us to learn more about Digital identity
Demetrius Cooper is Moblie Mentor’s Digital Identity lead. He has over 11 years of industry experience with a predominant focus on digital identity. A Chicago native, Demetrius lives and works in Atlanta, GA.