I think most of us are ready to put 2020 behind us, closing off final deals and crossing the finish line on projects we may never have expected to need to prioritise this year. We’ve all learnt a lot in a short space of time, not least the critical value of flexible digital infrastructure to support whatever the years ahead may bring for businesses.
Whilst we’re not entirely sure what’s in store for 2021 and beyond, we do know that three digital trends are likely to stay whatever happens next. The first is simply the increase in digital interactions as customers need to transact online, or now prefer its convenience. The second is the subsequent rise in cyberattacks as bad actors take advantage of the increased opportunity for manipulation. The third is the growth of remote working, which most agree is here to stay in some capacity, increasing the likelihood of privileged access over the public internet and Bring Your Own Device (BYOD).
Here are three, important yet oft-forgotten, identity management principles to help guide us through the security, customer experience and operational efficiency challenges that these trends present.
1. Identity data collection – less is more
We’ve seen it with the media’s scrutiny of Covid tracing apps and social media’s role in the US election – more and more people are waking up to their right to privacy. Perhaps not all of us value our privacy as much as we should, but certainly awareness of data privacy is growing and transparency over data use is key.
Best-practice identity management can help you practice the principle of data minimisation – essentially only asking for data that is absolutely necessary, and not keeping it for longer than needed. So if I’m signing up for a music streaming service, it may need to know some aspects of my identity – like my email address and bank details – but, according to data minimisation, would not need to know my gender. The service may prefer to know my gender so its marketing team can analyse demographics, but it is not necessary to my use of the service. Many apps, like Instagram, will make these fields optional to avoid registration abandonment.
It’s important to offer a self-service account management capability so that users can manage their own identity data and view what you know about them. It’s also important to be transparent around what you know and why you need to know it, in order to build trust with your customers. The good news is that many users are still happy to provide non-essential data if there is value for them in doing so. For example, if you let them know that this will enable you to personalise the service that you’re providing to them. This results in more loyal customers and more successful marketing/sales teams who can target their efforts based on up-to-date information – not information that’s been assumed or has expired in your CRM.
Speaking of your CRM, make sure it’s integrated with your app’s identity and access management. By integrating these systems, you avoid data silos and wasting time and money on either updating each system individually or not leveraging the most up-to-date information for sales/other processes.
Finally, avoid asking your customers to provide identity credentials when it’s not necessary. By employing Single Sign-On (SSO) and step-up authentication, you can achieve the correct balance of robust security and seamless customer experience. SSO means that customers only need one set of login credentials to sign into all authorised services. If one particular service requires stronger authentication than the others, for example billing, then you can step up authentication for just that service (i.e. require another authentication factor, as we’ll see in the next principle).
2. MFA is a basic requirement
Multi-factor authentication (MFA) is no longer a security gold standard; it is just standard. As a reminder, MFA is the use of more than one authentication factor (like a username/password plus a fingerprint scan). Customers generally fall into two camps – the camp that cares about their online security so will demand MFA availability, or the other camp who don’t really care and won’t go looking for it (and are therefore more likely to present a breach risk to your organisation). You must offer MFA to your users and, if you don’t enforce it, encourage them to set it up. If you don’t have MFA in place by the end of 2020, 2021 is the year you must find the time and budget for it. Not doing so may mean much more time and budget spent on dealing with a data breach down the line.
Remember that not all authentication factors are created equally. Some, like a password or social media login, are unlikely to be strong enough when used on their own as they can be hacked more easily than other methods. Others, like a bank ID or authenticator app time-based one-time password (TOTP), are stronger as they’re harder to hack. Whichever combinations you decide to enable for access to your application should reflect the sensitivity of the data you’re storing, the geographical location of your users and your regulatory context. It’s also a good idea to provide options, as only providing one choice will alienate certain users (e.g. some users may not have social media accounts or may be unable to provide certain biometric data).
3. Least Privilege
It can be hard to keep on top of which accounts have access to which systems internally, let alone with your (usually more numerous) external customers and/or partners. The principle of least privilege denotes that user accounts should only ever have the minimum access authorisation necessary to their role in the service. I’ll cover two examples.
The first example is with remote employees. When staff are in the office, it may be easy to identify anyone who should not be accessing your company systems and stop them before they do any damage. After all, they’d have to be sat in front of a team that knew them for an imposter. But with the increase in remote working, it’s more likely that bad actors could take advantage of the anonymity and gain unauthorised access to an account. If this does happen, you’ll want the hacked user’s account to have access to as little data as possible to minimise what information is visible/vulnerable to the hacker.
The second example is a business to business use case. Say you run an online service for your business partners, where several employees within the partner business need access to your service. The easiest thing to do is give everyone at the partner business an account with the same level of privilege. However, this would mean that if any of those accounts are hacked, the hacker also gains full access rights. But the accounts don’t all need access to every area, so this method presents an unnecessary risk. Perhaps only an administrator needs to have access to billing, while an ordinary member only needs enough access to upload documents. Here, different access rights levels reduce the risk of more sensitive areas being hacked. In this example, Delegated Authority streamlines how you handle these access levels by giving the partner business administrator control over their own employee invitations. This saves both businesses time and, therefore, money.
With life online taking centre stage right now, digital identity is still firmly under the spotlight. How we protect and make life easier for our online users now will ultimately have a huge impact on business success, regardless of how long it takes to return to ‘normality’.
Of course, these IAM principles above are only three out of a long list, but it would be wise to keep returning to these and asking yourself and your team if you continue to do enough on each.
For your IAM needs, including SSO (Single Sign-On), MFA (Multi-Factor Authentication) and Delegated Authority, find out more about Ubisecure Customer Identity and Access Management (CIAM).