It is likely that you have not heard the term “Identity Management” within the field of cybersecurity, in this article we will see what it is and its great relevance.
What is Identity Management?
Identity management, also known as IDM, is a set of processes, policies and technologies designed to manage and protect users. This concept ranges from the individual user of a personal computer, to larger organisations, such as enterprises seeking to administer and manage the users of their employees.
In simple terms, we could compare it to a virtual doorman that ensures that only authorised persons have access to a place on the internet, or to a specific resource.
Because it sits between users and critical business assets, identity and access management is a critical component of any enterprise security programme. It helps protect against compromised user credentials and easily cracked passwords that are common network entry points for criminal hackers looking to plant ransomware or steal data.
It should not be forgotten that identity management will determine whether a user has access to systems, but it also establishes the level of access and permissions a user has on a particular system. For example, a user may be authorised to access a system, but restricted in some of its components.
And how do we achieve this security?
Even if you don’t relate Identity Management to your daily life, it is something you as a user use every day. Authentication factors are part of many of the processes we perform. And you may ask, what is an authentication factor? We segment them into 3 types:
One thing I know:
- Password
- PIN
- Date of birth
Something I have
- SMS with a 6-digit code
- Identification cards
- Code-generating applications (e.g. Microsoft Authenticator, Google Authenticator)
Something I am
- Fingerprint
- FaceID
Good practices, the best way to help us from the GDI
Although we always set up a “something I know” factor (such as passwords and PINs), advances in attacks to obtain confidential information mean that this is not enough. Attacks involving massive data breaches, including sensitive information such as passwords, are occurring on a recurring basis. A very common hacking practice consists of simulating trusted websites (our bank, social networks), so that we enter our credentials to gain access to our accounts.
This is where the GDI helps us as users, good practice always indicates that we should have at least 2 different authentication factors. Several examples:
- You want to log in to Facebook with your password (something I know), and it asks you for a second factor, in this case you have set up the SMS with a 6-digit code.
- They want to carry out a transaction after obtaining your banking credentials, but you have set up the two-factor and this prevents them from completing the transaction.
- You want to log in to Outlook Online for company email. You enter your email and password, and to confirm that it is you, you are asked to confirm via the Microsoft Authenticator application.
Finally, I would like to advise you to remember that passwords have several weaknesses. Importantly, these include being easy to guess, easy to crack, easy to phish and constantly repeated. Repeated passwords allow hackers to gain access to multiple servers, databases and networks. Therefore, building stronger authentication around passwords should become a key consideration for your security.
