Redefining identity management in the digital world
Art Coviello, executive chairman, RSA
Prior to the internet and the migration of much of our lives online, our public identity, while potentially a complex amalgamation of different roles, was essentially integrated and unified. Today, we are able to distill and separate those different roles into distinct online identities based on the groups with which we choose to interact – from the consumer one that Amazon and Netflix know, to the medical one that our healthcare providers know, to the professional identities that our employers and colleagues know, to the social one that our Facebook friends know. Each of us have different approaches to how much overlap we allow between our identities. For example, we may connect our social and consumer identities but we may not feel comfortable connecting our social and professional identities.
For those of us tasked with managing the security of the digital world for the enterprise, there are serious ramifications to this evolution of identity. Specifically, how we manage identity must evolve as well if we are to maintain the security of our organizations.
The need for this evolution has been exacerbated by the growth of the consumerization of IT, as represented by the growth of bring-your-own-device (BYOD). Managing identity on single-purpose, work-provided mobile devices that were connecting to on-premise applications over third party networks was challenging enough. That challenge has expanded exponentially thanks to the fact that work identities now co-exist with personal identities on a multi-purpose, user-provided device that connects to on-premise apps and apps in the cloud.
We need to redefine identity management to meet these new challenges by shifting our perspective on identity management and updating its technological underpinnings.
We must first shed our IT-centric approach to identity management, focusing less on being a gatekeeper of IT assets and more on facilitating the goals of the business. The only way to do this is by allowing business owners to own and drive identity management controls, as they are the ones best positioned to understand the identities and corresponding roles supporting their business.
Secondly, we must update how we approach identity management from a technological perspective. We need to get beyond usernames and passwords. We need to enhance our methods of authentication from one- and two-factor to multi-factor and from a single point in time to continuous authentication. We need to move to a Big Data approach to identity management that is able to analyze and correlate our numerous identities and roles to efficiently and effectively enforce the right level of authentication and authorization for a wide variety of access patterns. And finally, identity management must be universal, enabling access from any device to any application.Our identities are evolving online. Identity management can't afford to stand still. We have the ability to adapt to the new realities of the digital world. Now, as Nike would say, we need to just do it.