Identity management is the term that describes how organizations maintain effective security to prevent unauthorized users from obtaining access to secure systems. Good identity management keeps systems and people secure, enhances privacy, and enables efficient digital experiences for both businesses and individuals.

Identity Management Day was first hosted on April 12, 2021 by the Identity Defined Security Alliance and the National Cybersecurity Alliance to spread awareness about the importance of proper identity management and the dangers of improperly managing digital identities. 

We asked our members to share their best IAM practices for protecting digital identity. Learn from the best by following these 9 tips:

1. Only collect the data you absolutely need to provide your product or service. The more data you have, the more attractive you become to attackers, and the more risk you take on.
2. Bad data quality will kill every IAM approach. For example: people suddenly without managers, missing required data or having it disappear from a source overnight. Plan to keep the bad data out and when it creeps in (because it will) make sure you have tested  the unhappy path before you accidentally fire the CEO.
3. Follow the ‘principle of least privilege.’ Meaning, don’t assign too many privileges to those who don’t need them; instead only assign what is needed to do their jobs.
4. Prune and clean your account list and remove your “leavers”. It should be a no-brainer, but is actually an often-neglected control measure.
5. Any MFA is better than no MFA (Multi-Factor Authentication). (see #6)
6. If you’re using MFA, use Adaptive MFA. Don’t carpet-bomb every transaction with laborious authentication requirements, because other parts of your business could suffer (e.g., signup funnels). Have clear policies when you require stronger authentication and only present those prompts when necessary.
7. Encrypt personally identifiable information (PII) and personal data (PD) at rest and in transit. Things like emails and phone numbers should never be stored or sent in cleartext.
8. Block the use of known breached passwords / credentials.
9. Adopt SSO (Single Sign-on) as a default practice. Friends don’t let friends connect things directly to LDAP for sign-on or local user ID/password pairs — they adopt SSO. You don’t know who wrote and tested a given application, much less what they actually contain for code or their patching practices. They do NOT need to handle clear text user ID and password pairs. Local accounts pose the risk of ghosting credentials, jeopardizing them, or handling them without the same duty of care needed for good security hygiene. SSO is vastly more helpful than trying to remember all the touch points on local credentials when revoking them. 

Now it’s YOUR turn to participate! 

Identity practitioners are encouraged to share their best security practices during the 2022 Identity Management Day Virtual Conference, inspiring others to employ effective strategies for securing their digital identities and helping leadership understand the importance of a strong identity management team. 
Want to learn more? Check out this 2022 RSAConference presentation by IDPro members – Vittorio Bertocci and Sarah Cecchetti – Securing Your Direct to Consumer Identity Strategy.

The post Celebrating Identity Management Day 2022 with Nine IAM Best Practices from IDPro® Members appeared first on IDPro.

This month marks  the second anniversary of our first articles published to the IDPro Body of Knowledge (BoK). In the past two years, we’ve published 28 articles on foundational identity topics from Authentication and Authorization to Practical Implications of Public Key Infrastructure for Identity Professionals. 

The first two years of the BoK topics were  bootstrapped–any foundational identity  topic was welcome. This has led to full coverage in some areas like workforce identity topics, but less coverage in others like access governance. Looking forward, the BoK Committee is  developing an editorial calendar to focus on specific topics. In particular, we’re soliciting  articles on:

• Distinct Authentication Case studies (like “Cloud Service Authenticates Via Delegation – SAML” )
• IAM Security guidance regarding tokens and credentials
• Access Policy Lifecycles
• Developing an IAM security threat model

The list goes on and is updated on our publication status page. 

I am incredibly proud of and grateful to a community that is willing to not just write about what they know best, but also take time to review material and offer the feedback that makes the IDPro BoK an incredible collection of information. Our industry is constantly evolving and maturing, and we have already refreshed 18 of our foundational articles to ensure the material is current.

But wait, there’s more! As the BoK evolves, so too does the program committee behind it all. We have recently updated the program charter and need new membership driven leadership to help guide our strategic direction. This is an opportunity to lead and contribute to the professional knowledge base needed to build best of breed identity solutions.

Get in touch on slack or at editor@idpro.org to volunteer. I look forward to hearing from you!

Heather Flanagan

Principal and IDPro BoK Editor

Spherical Cow Consulting

Heather Flanagan, Principal at Spherical Cow Consulting, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organizations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards, or discussions around the future of digital identity, she is interested in engaging in that work.

The post Celebrating 2 Years of the IDPro Body of Knowledge appeared first on IDPro.

Women In Identity (WiD) is a volunteer-run, international not-for-profit organization that promotes diversity and inclusion across the identity industry, aiming to “promote universal access which enables civic, social and economic empowerment around the world.”

As part of its ongoing work supporting the industry, WiD recently developed an Identity Inclusion Code of Conduct. The first research phase focused on a financial services use case stemming from interviews with individuals impacted by identity exclusion in the UK and Ghana as well as experts in the field. The goal was to better understand how these issues might be addressed by seeking responses to key questions:

1. Who are the key demographics excluded in digital identification to access financial services and products? How might they differ in mature and emerging markets? (Markets selected for this work were UK and Ghana)

2. What form does this exclusion usually take? What do users recommend in terms of inclusion?

3. What measures are product designers and policymakers taking to ensure inclusion? How can these be strengthened? How do those buying ID systems see how inclusion has been built in?

4. What might an Identity Code of Conduct for inclusion and diversity in identification for financial services look like? 

Output from their work to date includes video interviews, the “The Human Impact of Identity Exclusion” report, and a project outline. Much like our annual Skills, Programs & Diversity survey, WiD’s research is essential to ensuring that the digital identity and IAM communities are considering and incorporating perspectives and skills that might otherwise be overlooked. 

“The lack of diversity and inclusion in identity systems and how that affects access to even basic financial services is a widely discussed problem, but the actual human impact is often far less well understood. This groundbreaking work highlights the stories and struggles of those who have faced exclusion firsthand.” — Louise Maynard-Atem, Research Lead Women in Identity

We are excited to see what will come of their ongoing research and will be anxiously awaiting updates. For more information and regular updates, visit the Women In Identity website and follow them on Twitter.

Ian Glazer

IDPro Co-Founder & Board Member

The post Women In Identity Unveils the Identity Inclusion Code of Conduct appeared first on IDPro.