Identity is Everywhere
December 18, 2019
The Identity Lifecycle
Identity plays a role in nearly every facet of the corporate enterprise, and it usually begins with the employee onboarding process. Companies verify potential employees’ identities and thoroughly vet them with background and credential checks, like professional licenses, certifications, education level, insurance coverage, and more, before they even enter the door.
Once an individual or business has access to an enterprise’s platform or infrastructure, they then need to decide how much access they should have. Privilege escalation is typically determined on a case-by-case basis and its parameters can change over time. Because escalated privileges are often based on an employee’s access to sensitive data, it has traditionally necessitated some level of authentication that, much like verification, can produce varying degrees of assurance.
Authentication options that include biometrics (e.g. facial recognition, fingerprint scans, speech recognition, etc.) are likely to continue growing in popularity, as these methods, when coupled with verification, can produce a very high level of assurance that the individual is who they claim to be. Biometric authentication is considered to be effective because it ties a unique identity to the individual. Slightly lower on the verification assurance scale is physical security, like key fobs or cards to enter an office building, and digital security, like passwords, PINs, and knowledge-based verification to gain (or re-gain) access to a company’s systems.
Identity is becoming more critical and is encroaching on areas that used to be standalone, and in a zero-trust world where KBV and other two-factor authentication methods like SMS and email are no longer effective against fraudsters and hackers, it’s clear that purchasing decisions around identity verification solutions should be focused on how platforms can operationalize identity to impact abandonment, conversion, loyalty, fraud, credit risk, and customer experience.
Identity is Converging on Authentication
According to Gartner, existing authentication platforms will be displaced by identity corroboration systems in the next 4 years. In this report, Gartner claims that “the solutions that were highly effective five years ago are insufficient today against the more sophisticated attacks without supplementation from other technologies and solutions.”
While authentication is absolutely necessary for identity verification, traditional methods like knowledge-based verification (KBV), passwords, PINs, and other multi-factor and two-factor authentication techniques are quickly becoming outdated and are no longer endorsed by government agencies like NIST and U.S. GAO.
Analysts now recommend that enterprises consider implementing proper identity proofing and corroboration beyond new account registrations, necessitating platforms that operationalize identity for step-up verification for privileged access management and resetting passwords or PINs for preventing account takeover.
Purchasing decisions around holistic identity solutions must be carefully considered, as identity affects different types of enterprise users (e.g. employees, vendors, contractors, partners, “gig” workers, customers, and visitors/guests, etc.), as well as different areas of the organization.
Who Owns Identity?
Identity is not a static function, rather it’s broad reach impacts nearly every department within an organization, including, but not limited to: human resources, IT, marketing, procurement, etc.
HR: Corroborates and verifies applicants’ and employees’ identities during the hiring and onboarding process and continues this practice throughout an employee’s lifecycle at the company. Identity for privileged access can sometimes fall under HR’s jurisdiction, but can also be a job function of the IT department.
IT: Leverages identity data for all account-related activity, from new user registration to password resets.
Marketing: With the introduction of CCPA and new obligations around data subject requests (DSRs), U.S. marketing teams will likely assume more of the organizational identity responsibility, as they’ll be required to furnish any consumer data requested by a data subject within a 45-day time period.
Procurement: Owns any identity-related activity as it pertains to contracting, hiring, and onboarding new partners. This might include verifying the identity of a business owner, or verifying a business license.
No single department owns identity, and many businesses have found it difficult to implement cross-functionally. While companies debate the best way to operationalize identity, data breaches and other cyberattacks continue to rise, even as enterprise security becomes more sophisticated. Decisions around implementation should be more strategic, and enterprises should consider a solution that supports long-term identity goals and systems.
Identity’s Impact on Data Breaches
The zero-trust world we live in today has created a new problem in which every user must be verified, and in doing so, it leads companies to amass more personal data than they ought to. Some enterprises practice good security hygiene and routinely scrub their databases to remove personal data that’s no longer relevant or necessary, but not all businesses have the time or resources to do this regularly.
Companies that hold highly sensitive data are more likely to experience a breach because they make for bigger targets than those that collect and hold less verified data.
Data breaches are costly and can ruin companies’ reputations, which is why haphazardly holding onto large amounts of sensitive data is no longer considered beneficial to either the business or the individual. In fact, holding too much personal data is now considered to be more of a liability than an asset.
Before enterprises determine how they can operationalize identity within their organization, they should first consider how they’re collecting and storing their data, as cybercriminals are always one step ahead in breaching even the most secure databases.
From a compliance standpoint, individuals are now within their rights to request access or deletion of their data per GDPR and CCPA regulations, which leaves enterprises that neglect to minimize or secure the data they’re collecting subject to a litany of individual and/or class action lawsuits, which can get very expensive to settle. Knowing that data is safely collected and stored means that enterprises have an extra line of defense against cybercriminals and lawsuits.
So, how can businesses reconcile their need for personal data with their desire to avoid a breach? Encryption. This ensures that sensitive data is safeguarded from potential hacks, which leads to increased trust in the enterprise from every type of user, from employees to customers and everyone in between.
How Evident Helps
Evident is a trusted leader in identity and credential verification. Our unique privacy-first platform protects verified personal data with end-to-end encryption, eliminating your exposure to sensitive information. Evident verifies the identities, credentials, and qualifications of both individuals and businesses, and can even support risk decisioning, making it the most holistic identity solution currently available.