by Brian Kelley
“Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.” (Gartner Research)
In other words: IAM is authentic users logging into their accounts. If we lived in a world of total honesty, passwords would be enough and Identity and Access Management would just be a series of network protocols and security certificates. But people steal passwords all the time, and they don’t truly identify the real user at all. That might be your data that’s attached to the username and password combo, but anyone who has the username and password can log in, so the “right” individual is never actually identified.
Unless you’re using a password manager (hint: you should be), you probably know at least some of your passwords, right? The problem is, knowledge is not exclusive: It’s available for anyone willing to seek out and learn (or steal) that knowledge. That’s why knowing usernames and passwords is a terrible way to identify yourself online. As a form of ID to determine if the person accessing their data is the actual person, it’s almost entirely useless.
Then there are a few inconvenient truths about how passwords work against you. First, routine database breaches can completely expose your passwords, making them horrible ways to prove your identity. Second, you can always be found online unless you’re taking active and technical steps to remain as anonymous as possible. And finally, your digital footprint is vast, and it’s continuing to grow with each new app or paid online bill. The damage of network intrusions is exponential: More usernames and passwords lead to higher exposure and more data breaches, and the cycle continues.
The “right” combo
IAM is an active process that goes beyond just logging in, but logging in is still the critical weak point. We’ve talked before about usernames as being a type of dangerous label that’s permanently attached to you on the internet. There are a few reasons why having a username is a good idea, and they almost always have to do with convenience rather than security. Because passwords and usernames can be entered and used by ANYONE who knows them, they’re inferior forms of identification that don’t protect your data.
So what’s left? For identity confirmation and authorization every time you log in, a lot more has to go into it besides entering passphrases. There are a lot of ways major service providers are doing this. The most common these days is flagging logins from unfamiliar devices or locations. But to stop them before they happen, you need the right style and combination of authentication to pull it off. At the very least, passwords shouldn’t be the primary login method.
There’s a Difference Between Identity and Online Identity
Reality versus online life is a contextual concept. That’s the short answer when we talk about the philosophy of identity, and elements that make you, well, you. Managing this one digital identity in an online environment where you can access multiple services is tricky, and it eludes many companies and services. And the idea that credentials as weak as usernames and passwords could ever do this inherently impossible.
At least to log in, credentials should be as complicated as possible, and never connect your real-life identity to them. When the user sets the credentials, it’s leaving them open and vulnerable for someone else to come along and take them. Authenticating credentials should be an automated process that’s impossible for other human interference.
And that’s important because they will interfere. Malicious programs probe and test everything that’s connected to the internet, searching for entry points and data to steal. Incorporating an authentication device that’s unique to the owner and isn’t stored online is the only surefire way of proving a user’s identity. If it can be stolen or copied, the process of IAM fails.
