Identity? Access? Management?
Have you ever heard the question, “Who are you?”, or if you’re on the verge of evaluating your own existence, “What are you?”. All we have is us and our own identity, What is our identity? Identity is concerned with the question “who am I?” or “what am I?”
Identity in general refers to the fact of being who or what a person, or a thing is. It encompasses and includes the memories, experiences, relationships, and values that create one’s sense of self.
(Sources: me.me and imgflip)
Now, as you’re probably not reading this from a print out on a piece of paper — it is ever so important to distinguish what your “digital identity” is.
A digital identity is the body of information about an individual or electronic device that exists online. It refers to the information used by computer systems to represent an external agent — a person, or even an organization, application, or device.
Let’s take an example. We all know that Bruce Wayne is Batman (SPOILERRR). We also know that he’s the son of billionaire Thomas Wayne. We also know that he enjoys fighting crime and that he lives in a city called Gotham and so on. In the digital world though, his identity will be based upon the pictures he uploads on Instagram when he is out fighting the Joker, his geolocation when he travels the world as a masked vigilante, the capes he adds to his shopping cart on Amazon- and even his search Engine history (hellooooo Catwoman *purrrrr*).
Digital identities allow access to services provided with computers to be automated. Unique user patterns make it possible to detect individuals or their devices and understand expected behaviour patterns. Information obtained through digital identities is often used by attackers to profile a user in order to identify any weaknesses to exploit to gain access to any resource.
Oh…a new word? Access? And what is access? As per Techopedia,
“Access, in the context of security, is the privilege or assigned permission to use computer data or resources in some manner.”
It is the amount of admittance or privileges that is given to any given entity. Access is critical in maintaining the security in computer systems. It restricts and/or permits the use and distribution of information, settings and the general use of a system.
For instance, say someone wants to enter an office in the Empire State Building. This office belongs to a company who owns floors 28–35 of the building. The individual will be given a temporary keycard to only access these floors when their identity is verified. If they want to access floor 25, that may be denied! Levels of access differ too!
Now that we have covered what Identity and Access are, lets move on to an important modern security concept in the cyber space- Identity and Access Management, or IAM.
Identity and access management, or IAM, is the security discipline that ensures the proper rules are in place for the right entities (people or things) to use the right resources (applications or data) at the right time, without interference, using the devices they want to use.
Easy enough, right?
To give a more technical explanation, IAM is comprised of the systems and processes that allow IT administrators to assign a single digital identity to each person, authenticate them when they log in, authorize them to access specified resources, and monitor and manage those identities throughout their lifecycle.
IAM systems essentially performs 2 tasks:-
- IAM systems confirm that the user, or entity is who they say they are by authenticating their credentials against a database.
- IAM systems grant only the appropriate or approved level of access.
In essence, IAM performs Authentication and Authorization. Authentication is the assurance of the digital identity of one entity to another and authorization is the determination of the extent to which access to resources is granted to the authenticated entity. (we’ll chat about this in a later post..sooo…..tune in to find out)
Let’s take an example to understand IAM.
Say Batman wants to go to a party at a nightclub on a Saturday night- and assume he’s already on the guestlist. The bouncer at the entrance of the club will check Batman ‘s ID to ensure that he is in fact the REAL Batman (Will the real Batman please stand up…lol). This is Authentication.
The spoiler that we gave earlier — Bruce Wayne is Batman –there’s a possibility that the VIP section has been booked and Batman’s name on the guestlist has been written with an asterisk next to it. Hence, Batman has access not only to the bar and the dance floor, but also the couches and tables at the VIP section. While letting him in, the bouncer lets Batman know that he can use the VIP section. This is Authorization.
Through authorization, a different level of access is provided to different users, or different types of users. Batman has access to the VIP section, but not to the back office where there may be a safe. Only the security and the manager of the night club may have access to it.
Here’s a great video to understand IAM even more!
Okay so now we know what this topic REALLY means, let’s move on to discuss a few of the best IAM practices to secure our digital identity as an individual consumer:
1. Use Multi factor Authentication (whenever possible).
Enabling MFA should be SUPER high up on your to do list to secure yourself. It adds a layer of protection in the sign-in process. Even if a hacker or an attacker gets hold of your login credentials, MFA tools like biometric scan or OTPs received on mail will stop them from gaining illegitimate access.
2. Have a strong password policy.
Keeping an “easy” password means keeping a weak password. We may keep a password which is easy to remember, but through this we compromise safety. Having a strong password acts as a strong pillar of defense, hence one must set a password that can stay in their memory but is difficult to guess; or crack.
As per the National Institute of Standards and Technology (NIST), the following guidelines must be remembered while setting a password:-
a) Password’s length must be between 8 to 64 characters.
b)Special characters must be used.
c)Repetitive or sequential characters should be avoided. (Examples: 1234 or gggg)
3. Follow a password expiry policy
In the case of password-based authentication, it is optimal to set a 45 days or 60 days password expiry policy. Renewing the password after every two months or so helps to secure the digital accounts from identity theft or password compromise attacks.
4. Do not have repeatable passwords for all your applications
Do not have the same password for all the applications that you use. If any of the applications gets hacked and your credentials get stolen, an attacker can potentially break into many other applications if they have profiled you efficiently.
