Identity and access management (IAM) solution providers do more than simply provide a product. They are on the front lines of cybersecurity research, innovating new ways to store and secure identity data, and fighting back against hackers and insider threats. They know the identity industry trends and threats better than anyone.
Therefore, we make a point to read through IAM vendors’ blogs and pulling out what key best practices we can learn from them. This time we read through the blog of Ubisecure: a Finnish Customer Identity and Access Management (CIAM) solution provider. Here’s what we gleaned from their blogs posts in Q1 2018:
We all know how things run nowadays. Customers can’t make purchases or use services without giving the enterprises at least some personal data. But now so many companies are demanding so much information, customers have begun forgetting who has their data or where it is stored.
Ubisecure observes that while enterprises do need to ask consent before collecting, storing, and using users’ identity data, the process of asking for users’ consent is incredibly problematic. Users generally don’t understand what they’re consenting to, and services or products might be denied if the user doesn’t consent to everything the enterprise demands—an unfair all-or-nothing game that does not foster trust.
More technically, these consent demands don’t give customers a record of what personal data they give out to whom and for what purposes. On this front, Ubisecure suggests enterprises issue consent receipts to give users a clear record of what personal information they gave and how it will be used. This should help foster customer trust, which is essential to encouraging repeat customers.
This article actually begins with a more philosophical take on privacy: how it relates to our public actions and why we value it—and moreover, how individual privacy concerns can be. Some services and products can be so private and personal that even being publically associated with it can be a violation of privacy to some users.
While Ubisecure’s article is of more help to the individual employee than the enterprise, your employees’ behaviors can radically determine your data security. Instructing you employees on identity best practices is vital to preserving your own networks—especially if those employees have purchasing power of any sort. With that in mind, the key finding in this post is acting on a zero-trust model in day-to-day online life. If it is a service you are not familiar with, do not give them your personal identity data. Look up an alternative service or product if possible. If that is not possible, look for certifications that the site in question treats their user data properly.
Cybersecurity is the opposite of user experience. Or at least that is the common perception Ubisecure confronts in this blog post. More specifically, the problem is that a good user experience can make or break a customer-facing enterprise. User interface and user experience improvements can increase conversion rates by anywhere between 200% and 400%—far too much for any enterprise to turn down. So they tend to let cybersecurity procedures slip.
Yet Ubisecure isn’t convinced that there needs to be a divide between user experience and cybersecurity. In their opinion, a CIAM solution can bridge the gap between the two via the implementation of a balanced security policy with a multitude of authentication options. This allows for a level of customization so you can fit your authentication methods with your customer bases’ needs rather than harassing them and driving away business.
Ubisecure notes that single sign-on and step-up authentication are two equally valid authentication tools with two different focuses. Both can be essential for users navigating your applications. They call it the difference between the two methods lateral and vertical movement, respectively.
Single sign-on stores a user’s session identity authentication information on the browser or via the identity provider, telling other applications that this user is already authenticated. An identity provider can manage session creation, token insurance (if tokens are utilized as an authentication factor), and verification transparency to facilitate ease of movement through enterprise applications.
Meanwhile, step-up authentication applies when the user needs to access more confidential information after they entered minimal identity authentication factors; to pass through a more secure area, the user needs to offer more secure authentication methods. After all, social media credentials login shouldn’t allow a user to access financial records. Instead, they should be asked for a hard token or biometric authentication to verify their identity before stepping up to that security level.
In other words, Ubisecure states that single sign-on is about convenience for low-level applications while step-up is more concerned with securing sensitive data. You can implement both to balance user experiences and identity data security.