Strengthening an organization’s trust
The pandemic has compressed years’ worth of digital transformation into a matter of months. And with hybrid working now being the new normal — people can work from home (or anywhere) remotely using an array of mobile devices.
But amid the flurry of digital growth, businesses may be exposing themselves to a rising number of risks organization wide. From a technology and security mindset, digital-first approaches have reduced the number of physical security barriers and massively increased interconnectivity through the cloud and software-as-a-service.
This puts digital identity at the heart of a sound cyber security environment today — and getting digital identity right is critical to building digital trust. It can help an organization identify — seamlessly and unobtrusively — if someone is truly who they say they are. At present, people need to prove their identity repeatedly, often with more personal data than is required for the transaction they are conducting.
It’s important that organizations monitor who may be accessing their ecosystems and make better decisions regarding access to certain resources. Every time someone seeks such access, organizations need the capability to validate a few key factors: biometrics, the specific device and user behaviors, such as the location, time and frequency of access.
As a result, it’s critical to consider moving toward a ‘zero-trust model’ of digital identity. It’s an approach to security that’s fundamentally all about interrogating every transaction at every connection point. It’s also a journey — and no single technology, tool or platform has all the answers.
Bringing together a common set of capabilities
When it comes to security, the idea of convergence is about organizations treating their workforce, customers and partners similarly. For a long time now, all stakeholder groups — those that help run the business and those they’re trying to sell to — have remained separate. Many businesses use different controls, technology stacks and frameworks between those different user bases.
It’s time to meet in the middle using a common framework to manage digital identities. Moving forward, organizations should leverage a common set of capabilities across consumers, partners and employees. There have been a lot of lessons learned about how best to manage each community. Here are three actions to take to get digital identity management right:
- Bring the internal and external together
It’s important to use a common approach when looking at threats, so make sure external fraud and internal threat programs are linked. Not only does this give full visibility to all potential threats, but an organization can pick up on patterns of crime which blend internal and external vectors.
- Focus on monitoring capability
From a technology perspective, it’s critical to be able to detect and monitor who is doing what with their access. Organizations are often good at authentication, but monitoring can create shortcomings among security programs — and a lack of integration with processes such as the joiners, movers and leavers process can leave businesses vulnerable.
- Take a risk-based approach to protecting data
Look to prioritize key assets, prevent malicious activity where possible, and be ready to detect and respond to threats quickly. Which assets really merit the highest level of protection? Zero-trust approaches can provide ‘fine grained’ access rights — but they depend on an understanding of which information is of most value to the organization.
Beyond what individual organizations can do, efforts are underway to develop self-sovereign identities — more portable representations of people’s digital identities that will be proofed by governments, financial institutions, utility providers and others. Widespread adoption of digital identity models would represent a great improvement from the status quo, since paper-based documents are vulnerable to theft and fraud.
With proofing, self-sovereign identities hold a higher level of assurance. With these forms of identity, consumers and citizens can choose which organizations to share them with. For example, in the US, it’s possible to link one’s digital travel identity (connected to airports) to one’s medical records, vaccine status, etc.
Governments would play a key role as the ultimate authority on the identity of a citizen, but only by public-private cooperation can organizations harness the innovation, agility and scale necessary to build the solution and secure a digital economy.
Putting a robust digital identity program in place helps organizations increase security and protection, improve risk management, manage access risk and prevent cyber attacks. Smart, forward looking organizations will waste no time improving the user experience and aligning their internal and external programs to deliver sustainable change and crucial advantages.
Explore the future of IAM article series
The email address you've entered is already tied to an existing account. Please enter your password to log in.
KPMG thought leadership is always available to our registered users
You’ve successfully logged in.
Please close this pop-up to return to the page.
Please provide the following information to register.