A digital identity is typically defined as a one-to-one relationship between a human and their digital presence. A digital presence can consist of multiple accounts, credentials, and entitlements associated with an individual.
Frequently, digital identity notes the presence of an individual or entity within applications, networks, on-premises systems, or cloud environments. This may be a person, organization, application, or device used for authentication, authorization, automation, and even impersonation during runtime. Digital identity may also be interchangeable with “digital entity” or simply “identity” depending on the context.
A user is different from a digital identity, Instead, a user refers to the actual person operating a resource to whom the digital identity is assigned, and whose identity is associated with subsequent activities. Users and digital identities possess a one-to-many relationship regarding accounts. Identity theft or compromise can have serious implications for individuals and organizations. A compromised identity can potentially allow a criminal to gain data, systems, and other access available to the victim.
Digital privacy is also an important concept to note. Digital privacy refers to the desire and/or right to have one’s identity, and sensitive data related to one’s identity, concealed and only authorized to access or know by those authorized by the identity. Data privacy and digital privacy protections are important for protecting identities. Many regulations, such as EU GDPR, HIPAA, etc. have explicit mandates around how data is collected, transmitted, and handled to protect identities and privacy.
In this post, we will further define what digital identities are, use cases, identity attack vectors and threats, best practices for safeguarding identities, as well as the major disciplines concerned with identity security.
Here’s how the Collins English Dictionary defines identity:
In computing, the concept of “identity” is used as a standardized representation of an individual. An identity in cyberspace is a literal projection of an individual and their interactions within a computer resource.
Identity is typically used to illustrate a one-to-one relationship between a human being and their digital presence. This presence, however, can have multiple accounts, multiple credentials, and an infinite number of entitlements in its electronic format. For example, consider the accounts associated with a user’s enterprise identity.
An identity can represent a defined resource, an asset, or even an automated robot process. There may not be a human individual associated to a digital identity. This extended definition allows for complete computerized systems taking a life of their own and, thus, can be assigned an identity — even though they do not “think.”
Digital identity and identity may be used interchangeably in cyberspace and digital realms, though the correct terminology will depend on the context. Identity might be a reference to indicate a broader, all-encompassing definition of a human or non-human object’s presence. However, it may also be used synonymously with a narrowly-defined digital identity — such as an account, a password, or another designated user identifier.
While there are many types of identities, they may be broadly organized across the following three categories:
Human digital identities allow human users to be assigned access or privileges within a network. Human identities can be further broken down into employee identities, partner identities, vendor identities, and customer identities.
Machine identities (non-human / non-person identities) are a mechanism allowing any non-human entity, including applications, software robots, endpoints (server, desktop, IoT, etc.), to be authenticated within systems.
Cloud Identities are used to access resources in the cloud. These identities and accounts can be highly dynamic, and may often have some form of privileged access.
An account, or user account, is used to operate within a computer or network environment. Typically, access to an account requires identity authentication, such as a submitting a password or credential.
Accounts often have complex relationships with identities and are typically defined locally, grouped together, or managed with an identity infrastructure such as directory services. The level of privileges and role-based access will depend on the security model of the system implementing them. This may vary significantly from one implementation to the next.
Identities can be assigned a wide variety of accounts across the enterprise. Accounts can be of many diverse types and use a wide variety of techniques to enforce credentials, control entitlement, and govern access. If a single account is compromised, it can be used to compromise the entire identity and its privileges. For instance, the compromise of an account with administrator access, or some other high-level application privilege, can easily be leveraged against the identity to compromise other associated accounts and services.
An account is an example of a digital identity, but a digital identity is not always an account. The concept of a digital identity instead represents the presence of a user within a resource – a presence not always associated with an account.
Attributes about the identity itself are what classifies ownership. Data used to define a digital identity can vary depending on the information collected. This results in defining attributes ranging from static identifiers – including usernames, passwords, or legal names – to dynamic, potentially unidentifiable data points, such as browser activity or location data.
Identifiable information may also be referred to as “resolvable” data, and unidentifiable information conversely as “non-resolvable.” The attributes contained in an identity allow for attestations, authentication, and authorization of a corresponding account to interact with a resource via entitlements, permissions, privileges, and rights. This could be interactive or automated.
The concept of an "identity" also denotes various aspects for business and personal use, when owned by a human being. These two types of identities should typically never be mixed, especially when using IT resources for one use case or another. In other words, your digital identity when using business applications should be different than when using personal applications. This increases the likelihood of a breach, malware, or ransomware attacks.
Digital identifiers are data at the root of a digital identity. Digital identifiers are used to attribute behavior on an application, system, or website to an individual, with or without information revealing their real identity.
Digital identifiers can vary depending on the resources being accessed. Within corporate networks and resources, employees will have direct identifiers (name, birthdates, job title, etc.) used to track their interactions. On the web, browsing data, shopping behavior, and other activities are used to assemble a digital identity – potentially without the inclusion of any personal identifiers. Rather, data like IP addresses or randomly generated IDs are used to track activity within a site or across sites.
The number of digital identities has exploded in recent years, driven significantly by the cloud and the increase in machine identifies. As an enterprise expands, so does the number of digital identities on a given ecosystem. In fact, according to the IDSA’s 2022 Trends in Securing Digital Identities report, 98% of security professionals reported a substantial increase in the amount of identities they manage, mostly driven from cloud adoption, third-party relationships, and new machine identities.
Digital identities are necessary to access software-as-a-service (SaaS) and cloud-hosted applications. These resources are often used across the organization, meaning every individual user requiring access will also need a digital account to represent them.
Currently, it is popular to utilize services like Google, Microsoft, Apple, or Facebook to register and authenticate a digital identity into a third-party resource. This identity is then hosted and managed elsewhere. Real-world use cases include authentication into services like PayPal and Amazon for financial transactions based on attributes stored in the unfederated account. These are all instances of passing identity information from a directory service to a system with no knowledge of, or storage requirements for, the identity being authenticated.
The increase in identities and accounts is also leading to a larger attack surface, according to the IDSA report. In 2021, 84% of organizations reported experiencing an identity-related breach, with 78% incurring a direct business impact. However, these breaches were seen as preventable or mitigatable with proper identity security practices by 96% of respondents.
The purpose of an identity attack is straightforward — a threat actor wants to find a method to compromise an identity and impersonate it for their own agenda. Their goal is to disrupt the one-to-one relationship of a person to their identity and then compromise the integrity of the identity-to-account relationship. Therefore, the risk surface encompasses all the methods to disrupt these relationships. This threat model applies to both physical and electronic identities.
In the context of corporate cybersecurity, privileged identities (identities with elevated access or permissions to corporate resources) are a high value target for cybercriminals. Non-privileged identities may still possess access to resources, but are unable to affect change or move between resources like privileged identities can. However, cloud identities can blur this distinction. The discipline of managing these privileged identities is called privileged identity management (PIM), or privileged access management (PAM).
Below are best practices for digital identity protection. Most of these practices can apply to enterprises as well as to individuals looking to safeguard their own identity.
The first step is getting a handle on the footprint of the identities under your charge. For an individual, this can mean uncovering all the accounts associated with your identity.
For an enterprise, the scope entails aggregating and correlating identity data across your organization’s resources, infrastructure, and applications. The identities and accounts involved will include a mix of human and machine, and may also include employee, vendor, and/or customer identities. An aggregated identity data view is necessary to understanding what identities exist and how they are being used. This helps you assess baseline risk and measure security improvement as you apply policies and enhances controls.
One of the most important pieces for enterprises is to implement a comprehensive identity and access security policy. This policy should govern how access—including privileged access—is provisioned/de-provisioned and audited. The policy should also define and operationalize information governance (also called data governance). This entails proper privacy and data security practices, such as the collection, handling, transmission, and deletion of data.
To prevent identity-based compromises and identity theft, individuals need to self-educate on the risks, including how they share information, websites they use, data collection / privacy practices, and password practices. For instance, they should grasp what functions it is okay to perform on https vs https sites. They should also understand the high risk of common security questions used across many sites to verify authentication, and how to mitigate this threat.
When it comes to an enterprise, your employees are one of the most important lines of defense you have against a breach. They also represent one of your weakest links. While you can leverage tools, technologies, policies, and controls to help safeguard your security, it’s crucial to train all your employees on the types of identity-based threats they are likely to encounter.
Users should be trained and empowered to identify suspicious emails, social engineering attacks, and other activities and report these to their IT department. They should recognize when a link in an email or text message should not be clicked. They should understand attackers can be persistent and exploits like MFA fatigue attacks are designed to wear them down. Social engineering and phishing techniques continue to evolve, so it is important that education is ongoing.
A threat actor has countless opportunities to steal an identity using the information technology crucial to everyday work. Identity obfuscation refers to a method to stifle a threat actor’s ability to establish a link between accounts, identities, and data. Identity obfuscation can involve the implementation of Privacy Filters. These are typically application features, software, or even physical additions to devices built to shield your data and protect identities. In many cases, Privacy Filters are required by law (e.g., GDPR) to obfuscate a user’s identity while collecting performance and analytic data.
Examples of Privacy Filters in everyday work and life include:
Despite the promise of “passwordless” technologies, passwords are only increasing in prevalence. Thus, securing passwords remains a cornerstone to protecting an identity from theft or compromise.
Individuals should avail themselves of personal password manager tools to centralize security of their passwords and accounts. These tools can automate password security best practices so the task of generating, remembering, and storing dozens or hundreds of passwords is not left to humans.
Of course, first it’s important to find all the accounts where passwords exist. As part of this discovery process (covered in #1 above), unused, unneeded, and other risky orphaned accounts should be deleted.
Enterprises should implement password managers to manage every identity touching the enterprise. Privileged password management solutions are specialized PAM tools for managing the accounts and credentials associated with privileged access—for both humans (employee, vendor, etc.) and machines.
All these tools should apply robust encryption to ensure passwords and other secrets are indecipherable and unusable to threat actors.
As high-profile breaches Okta, Cisco, and Uber have shown, multi-factor authentication (MFA) is fallible. In fact, techniques such as MFA bombing or MFA fatigue are a preferred means of starting or advancing an attack by some threat groups, such as Lapsus$. Additionally, MFA adds an extra layer of permission controls, called step-up authentication, to your identity security posture.
To enhance MFA security, organizations should look to move away from basic mobile phone-based MFA to more secure possession-based authentication, such as FIDO2, particularly for highly privileged or sensitive accounts.
Endpoints are the common gateway for attackers to infiltrate systems and access data. For enterprises, endpoint security solutions may include antivirus or antimalware, privileged access management and EDR / MDR / XDR, for personal users this may simply mean antivirus and other basic tools for their PCs and IoT. The type of controls needed will vary depending on the device type and the sensitivity of data on the endpoint.
Whether it’s a personal device or an enterprise server, keeping systems up-to-date and patched is one of the best ways to ensure a strong baseline security posture and minimize the attack surface. Software updates are often deployed to fix known security flaws, which means outdated software can present a huge security gap — one that threat actors already know how to target.
These vulnerabilities could allow an attacker to intercept information, steal passwords, or deploy rogue software to steal identity-related information or perform reconnaissance. You can help keep your devices and security infrastructure up to date by configuring all the devices on your network to update automatically. Automating updates will help ensure employees are updating their software regularly, even if the devices they are using to connect to the network are located off-premises, as is becoming the norm in the work-from-anywhere world. Complex requires will require more advanced tooling, such as vulnerability management solutions.
The principle of least privilege refers to the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, authorized activities. Most users, whether on their personal laptop or corporate device, should not be logged in as an admin for routine computing, such as web surfing and email.
One best practice falling under least privilege is to remove these admin rights wherever possible. Use a standard account for performing any activity that doesn’t explicitly require privilege. Since most malware needs privileges to execute and/or move laterally, eliminating privilege reduces the ability of an attacker to perform the types of activities that may lead to compromising identities.
In today’s perimeterless, work-from anywhere world, this goes far beyond network security. To compromise an identity, most attacks today need a digital path to data. This usually is initiated via remote access. There are many different tools and protocols used for access-from firewalls to VPNs to zero trust networking solutions. It’s important to match the right technology to the right use case to help ensure identities and accounts are secure.
Hardening your IT environment is a crucial step in strengthening your overall security and preventing the compromise of identities and accounts. Some systems hardening best practices include removing unnecessary software applications and privileges, and closing unneeded or risky ports. Performing these activities will condense the system’s attack surface, and thereby reduce system vulnerabilities and security risks.
Identity and access management (IAM), also commonly referred to as Identity management (IdM), can be broadly defined as the enterprise policies and technologies involved with ensuring only the right identities can access the right resources at the right times for the right reasons/context. Via streamlined workflows and processes, IAM solutions can enable single-sign-on (SSO) to a range of systems and applications.
The Five Core Tenants of Enterprise IAM (The Five A's):
Privileged Access Management (PAM) is the critically important specialized areas within IAM focused on controlling and auditing the elevated (privileged) access and permissions that need to apply to identities, users, accounts, processes, and systems within an IT environment.
Identity governance and administration (IGA) is another important identity management concept and deals with the orchestration of digital identity management across an enterprise.
Identity threat detection and response (ITDR) is an emerging discipline that marshals identity insights, threat intelligence, and identity security and management controls across multiple types of toolsets to proactively prevent identity-based threats, and also pinpoint and mitigate attacks. This approach is also seen as crucial for protecting the integrity of identity-based systems themselves.
Identity security, or identity-based security, encompasses all the above disciplines (IAM, PAM, IGA), and more. Identity security centers on safeguarding digital identities, privileged accounts, and other identity-based entities from cyberthreats, both internal and external. Doing so relies on authenticating the identity of individuals as they request access. Within corporate resources, there is significant emphasis on identity verification, authentication, and authorization. In some sectors, security protocols have evolved to incorporate biometric data, such as fingerprinting and facial recognition.